{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/johnson-controls-inc./","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CEM AC2000"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","dll-hijacking","cem-ac2000"],"_cs_type":"advisory","_cs_vendors":["Johnson Controls Inc."],"content_html":"\u003cp\u003eJohnson Controls CEM AC2000, a physical access control system, is vulnerable to DLL hijacking due to an uncontrolled search path element. This vulnerability, identified as CVE-2026-21661, affects versions 12.0, 11.0, and 10.6. Successful exploitation could allow a standard user to escalate their privileges on the host machine. The affected sectors include Critical Manufacturing, Commercial Facilities, Government Services and Facilities, Transportation Systems, and Energy. Johnson Controls recommends upgrading to specific releases to mitigate this vulnerability. This privilege escalation could grant unauthorized access to sensitive areas and systems controlled by the CEM AC2000 software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA standard user logs into a Windows system where a vulnerable version of Johnson Controls CEM AC2000 is installed.\u003c/li\u003e\n\u003cli\u003eThe user executes the CEM AC2000 application, which attempts to load a specific DLL file.\u003c/li\u003e\n\u003cli\u003eDue to an uncontrolled search path element (CWE-427), the application searches for the DLL in a predictable, user-writable directory before searching the system\u0026rsquo;s legitimate DLL directories.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious DLL file with the expected name in the user-writable directory.\u003c/li\u003e\n\u003cli\u003eThe CEM AC2000 application loads the malicious DLL instead of the legitimate one.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes with the privileges of the CEM AC2000 application, which, due to the vulnerability, are elevated compared to the initial user.\u003c/li\u003e\n\u003cli\u003eThe attacker now has elevated privileges on the host machine, potentially allowing them to access sensitive data or control system functions.\u003c/li\u003e\n\u003cli\u003eThe attacker can now install malicious software, modify system settings, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21661 allows a standard user to escalate privileges on the host machine running Johnson Controls CEM AC2000. This can lead to unauthorized access to sensitive areas controlled by the system, manipulation of physical security controls, or further compromise of the underlying operating system. Given the wide deployment of CEM AC2000 across critical infrastructure sectors, this vulnerability poses a significant risk to physical and cyber security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CEM AC 2000 12.0 to 12.0 Release 10 as recommended by Johnson Controls to remediate CVE-2026-21661.\u003c/li\u003e\n\u003cli\u003eUpgrade CEM AC 2000 11.0 to 11.0 Release 9 as recommended by Johnson Controls to remediate CVE-2026-21661.\u003c/li\u003e\n\u003cli\u003eUpgrade CEM AC 2000 10.6 to 10.6 Release 3 as recommended by Johnson Controls to remediate CVE-2026-21661.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for CEM AC2000 loading DLLs from unusual or user-writable paths using the \u0026ldquo;Suspicious DLL Load by CEM AC2000\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T12:00:00Z","date_published":"2026-05-05T12:00:00Z","id":"/briefs/2026-05-johnson-controls-privesc/","summary":"A vulnerability exists in Johnson Controls CEM AC2000 versions 12.0, 11.0, and 10.6 due to an uncontrolled search path element that could allow a standard user to escalate privileges on the host machine via DLL hijacking.","title":"Johnson Controls CEM AC2000 Privilege Escalation via DLL Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-05-johnson-controls-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Johnson Controls Inc.","version":"https://jsonfeed.org/version/1.1"}