VYPR
advisoryPublished May 5, 2026· Updated May 17, 2026· 1 source

Johnson Controls Patches Critical Privilege Escalation Flaw in CEM AC2000 Access Control System

Johnson Controls has released patches for a high-severity DLL hijacking vulnerability in its CEM AC2000 access control system that could allow local attackers to escalate privileges.

Johnson Controls has issued a security advisory regarding a critical vulnerability in its CEM AC2000 access control system, a platform widely used across critical infrastructure sectors including energy, transportation, and government facilities CISA. The flaw, identified as CVE-2026-21661, stems from an uncontrolled search path element, specifically a DLL hijacking vulnerability, which could allow a local attacker to escalate their privileges on an affected host machine CISA.

The vulnerability carries a CVSS v3.1 base score of 8.7, reflecting its high severity. According to the advisory, the flaw exists because the application improperly handles the search path for Dynamic Link Libraries (DLLs) CISA. By exploiting this uncontrolled search path, a standard user with local access could potentially execute malicious code with elevated privileges, effectively compromising the host system CISA.

The affected versions of the CEM AC2000 software include 12.0, 11.0, and 10.6. Because these systems are frequently deployed in sensitive environments—such as critical manufacturing and commercial facilities—the potential for impact is significant CISA. While there are currently no reports of this vulnerability being exploited in the wild, the nature of the flaw poses a serious risk to organizations relying on these systems for physical and operational security CISA.

Johnson Controls has released specific updates to remediate the issue and urges users to upgrade their systems immediately. Users running version 12.0 should upgrade to 12.0 Release 10, those on version 11.0 should move to 11.0 Release 9, and users on version 10.6 are advised to update to 10.6 Release 3 CISA. Detailed instructions for these updates can be found in the official Johnson Controls Product Security Advisory CISA.

Beyond patching, CISA recommends that organizations implement defense-in-depth strategies to minimize the risk of exploitation. This includes isolating control system networks from business networks, placing devices behind firewalls, and ensuring that any necessary remote access is conducted via secure, updated VPNs CISA. Organizations should also remain vigilant against social engineering, as attackers often leverage such techniques to gain the initial local access required to exploit vulnerabilities like DLL hijacking CISA.

This disclosure highlights the ongoing challenge of securing legacy and industrial control systems against local privilege escalation attacks. As organizations continue to integrate physical security platforms with broader IT networks, the importance of maintaining rigorous patch management and network segmentation becomes increasingly critical. Security teams should monitor vendor advisories closely and prioritize the hardening of systems that manage sensitive infrastructure CISA.

Synthesized by Vypr AI