Skip to main content

Johnson Controls AC2000 CVE-2026-21661

| EUVDEUVD-2026-27865 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-05-06 jci
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 06, 2026 - 17:32 vuln.today
CVSS changed
May 06, 2026 - 17:22 NVD
8.4 (HIGH)

DescriptionCVE.org

Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths.

This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3.

AnalysisAI

Local privilege escalation in Johnson Controls AC2000 physical access control system (versions 10.6-12.x) allows authenticated local users to execute arbitrary code with elevated privileges by manipulating DLL search paths. The CWE-427 uncontrolled search path vulnerability enables attackers with low-privilege local access to plant malicious libraries that AC2000 loads during startup or operation, achieving high confidentiality and integrity impact. No public exploit code identified at time of analysis, and CVSS 4.0 local attack vector (AV:L) with low privileges required (PR:L) indicates this requires initial system access but minimal complexity once achieved.

Technical ContextAI

This is a DLL hijacking vulnerability (CWE-427: Uncontrolled Search Path Element) affecting Johnson Controls AC2000 physical access control software running on Windows platforms. The vulnerability occurs when AC2000 searches for dynamic-link libraries (DLLs) or configuration files using an insecure search order that includes user-controllable directories. Windows DLL search order typically checks the application directory, system directories, current working directory, and PATH environment variable locations. An attacker with local access can place a malicious DLL with the same name as a legitimate AC2000 dependency in a higher-priority search location, causing the application to load and execute the attacker's code instead of the intended library. The CVSS 4.0 vector confirms local attack vector (AV:L), low attack complexity (AC:L), and no attack requirements (AT:N), meaning exploitation is straightforward once local access is obtained. The affected CPE identifies Johnson Controls AC2000 versions across three major release branches requiring remediation.

RemediationAI

Upgrade AC2000 to patched versions: version 10.6 Release 10 or later, version 11.0 Release 9 or later, or version 12 Release 3 or later, as confirmed by Johnson Controls security advisory at https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories. Organizations unable to immediately patch should implement compensating controls: restrict local interactive logon rights to AC2000 servers/workstations to only essential personnel using Windows group policy (eliminates PR:L attack prerequisite but impacts operational flexibility), enable Windows AppLocker or application whitelisting to prevent unauthorized DLL loading from user-writable directories (may require extensive testing to avoid breaking legitimate AC2000 functionality), apply filesystem ACLs to deny write access to AC2000 installation directory and PATH locations for non-administrative users (reduces attack surface but requires careful permission auditing), and enable enhanced Windows logging for DLL load events via Sysmon or Windows Defender ATP (detection-only, does not prevent exploitation). Monitor AC2000 process behavior for unexpected DLL loads from non-standard paths. Note that compensating controls add administrative overhead and may not prevent all exploitation scenarios involving privileged local accounts.

Share

CVE-2026-21661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy