CISA 2026-05-05

Johnson Controls CEM AC2000

CVE-2026-21661

Machine-generated analysis · WAYSCloud LLM

The vulnerability affects multiple versions of Johnson Controls CEM AC2000 with a CVSS score of 8.7. The advisory explicitly mentions deployment in critical infrastructure sectors worldwide.

Context

Johnson Controls CEM AC2000 is a building management system used in critical infrastructure sectors including manufacturing, commercial facilities, and transportation systems. The advisory states that standard users could escalate privileges on the host machine through DLL hijacking. The vulnerability affects versions 10.6, 11.0, and 12.0 of the software, with specific upgrade releases available for mitigation.

Operator considerations

Check: Inventory all instances of CEM AC2000 versions 10.6, 11.0, and 12.0.
Patch: Upgrade to 10.6 Release 3, 11.0 Release 9, or 12.0 Release 10 as specified in the vendor advisory.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of this vulnerability could allow a standard user to escalate privileges on the host machine.

The following versions of Johnson Controls CEM AC2000 are affected:

CEM AC2000 12.0 (CVE-2026-21661)

CEM AC2000 11.0 (CVE-2026-21661)

CEM AC2000 10.6 (CVE-2026-21661)

Vendor

Equipment

Johnson Controls Inc.

Johnson Controls CEM AC2000

Uncontrolled Search Path Element

Critical Infrastructure Sectors: Critical Manufacturing, Commercial Facilities, Government Services and Facilities, Transportation Systems, Energy

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Ireland

The affected product is vulnerable to DLL hijacking, which could allow an attacker to escalate standard user privileges on the host machine.

Johnson Controls CEM AC2000

MitigationJohnson Controls recommends users apply the following mitigations:

MitigationUpgrade CEM AC 200...

Read the full advisory on CISA →