Attack Chain

1. A standard user logs into a Windows system where a vulnerable version of Johnson Controls CEM AC2000 is installed.
2. The user executes the CEM AC2000 application, which attempts to load a specific DLL file.
3. Due to an uncontrolled search path element (CWE-427), the application searches for the DLL in a predictable, user-writable directory before searching the system’s legitimate DLL directories.
4. The attacker places a malicious DLL file with the expected name in the user-writable directory.
5. The CEM AC2000 application loads the malicious DLL instead of the legitimate one.
6. The malicious DLL executes with the privileges of the CEM AC2000 application, which, due to the vulnerability, are elevated compared to the initial user.
7. The attacker now has elevated privileges on the host machine, potentially allowing them to access sensitive data or control system functions.
8. The attacker can now install malicious software, modify system settings, or exfiltrate data.

Impact

Successful exploitation of CVE-2026-21661 allows a standard user to escalate privileges on the host machine running Johnson Controls CEM AC2000. This can lead to unauthorized access to sensitive areas controlled by the system, manipulation of physical security controls, or further compromise of the underlying operating system. Given the wide deployment of CEM AC2000 across critical infrastructure sectors, this vulnerability poses a significant risk to physical and cyber security.

Recommendation

• Upgrade CEM AC 2000 12.0 to 12.0 Release 10 as recommended by Johnson Controls to remediate CVE-2026-21661.
• Upgrade CEM AC 2000 11.0 to 11.0 Release 9 as recommended by Johnson Controls to remediate CVE-2026-21661.
• Upgrade CEM AC 2000 10.6 to 10.6 Release 3 as recommended by Johnson Controls to remediate CVE-2026-21661.
• Monitor process creation events for CEM AC2000 loading DLLs from unusual or user-writable paths using the “Suspicious DLL Load by CEM AC2000” Sigma rule.