ACCORDING to CISA, the Johnson Controls CEM AC2000 advisory notes that successful exploitation of the vulnerability could allow a standard user to escalate privileges on the host machine. The affected products are Johnson Controls CEM AC2000 versions 12.0, 11.0 and 10.6, with CVE-2026-21661 assigned and a CVSS v3.1 base score of 8.7 (HIGH). The vulnerability stems from an uncontrolled search path element, described as DLL hijacking, which could enable privilege escalation for a local user.
Remediation guidance from Johnson Controls requires upgrading to 12.0 Release 10, 11.0 Release 9, or 10.6 Release 3, and more detailed instructions are available in the Johnson Controls security advisories. Notably, CISA states that there is no known public exploitation at this time and the vulnerability is not exploitable remotely.
The advisory emphasizes defensive measures such as minimising network exposure for control system devices, using firewalls, and employing secure remote access, including VPNs where appropriate. Release date: 5 May 2026.