Johnson Controls Patches Privilege Escalation Vulnerability in CEM AC2000 (CVE-2026-21661)
A high-severity vulnerability in Johnson Controls' CEM AC2000 system (CVE-2026-21661) has been patched, which could have allowed privilege escalation.
Johnson Controls has released a security update for its CEM AC2000 access control system to address a vulnerability that could allow for privilege escalation. The vulnerability, CVE-2026-21661, affects multiple versions of the CEM AC2000 software, including 12.0, 11.0, and 10.6.
Successful exploitation of this vulnerability could enable a standard user to gain elevated privileges on the host machine, potentially allowing them to access or modify sensitive system settings and data. The vulnerability has a CVSS score of 8.7, classifying it as high severity.
Johnson Controls has made an update available that remediates this issue. Organizations utilizing the affected versions of CEM AC2000 are strongly advised to apply the patch as soon as possible to prevent potential exploitation. The vulnerability impacts critical infrastructure sectors such as Critical Manufacturing, Commercial Facilities, and Government Services.