CVE-2022-21941
Published: 31 August 2022
Summary
CVE-2022-21941 is a critical-severity Command Injection (CWE-77) vulnerability in Johnsoncontrols Istar Ultra Firmware. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-21941 is a command injection vulnerability, tracked under CWE-77, that affects all versions of the iSTAR Ultra access control system prior to 6.8.9.CU01. The flaw carries a CVSS 3.1 base score of 10.0 and permits an unauthenticated attacker to inject operating-system commands with full root privileges on the underlying platform.
An unauthenticated remote attacker can exploit the issue over the network without any user interaction or credentials. Successful exploitation grants complete control of the device, allowing arbitrary command execution that can compromise confidentiality, integrity, and availability while affecting other components in the same security scope.
Public advisories from CISA (ICSA-22-242-11) and Johnson Controls direct administrators to upgrade iSTAR Ultra to version 6.8.9.CU01 or later; the vendor security page also lists the fixed release and associated hardening guidance.
The EPSS score for this CVE has remained flat at 0.1974 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27097
Vulnerability details
All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.