CVE-2026-21661 Raw CVE debrief

Who should care

Organizations running Johnson Controls CEM AC2000 on Windows hosts should pay attention, especially endpoint, IT, and OT teams responsible for application deployment, least-privilege controls, and patch management. Security teams should also review any local user accounts that can launch or influence the application.

Technical summary

CISA describes the flaw as DLL hijacking in Johnson Controls CEM AC2000. The supplied CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L, which indicates a local attack that requires low privileges, no user interaction, and can cross a security boundary. The practical security concern is that an attacker with standard user access on the host may be able to influence library loading and escalate privileges.

Defensive priority

High. The issue is locally exploitable, affects an industrial access-control product, and has vendor-recommended fixes available for all affected branches.

Recommended defensive actions

• Upgrade CEM AC 2000 12.0 to 12.0 Release 10.
• Upgrade CEM AC 2000 11.0 to 11.0 Release 9.
• Upgrade CEM AC 2000 10.6 to 10.6 Release 3.
• Follow Johnson Controls' Product Security Advisory for the full mitigation guidance.
• Review Windows host hardening and least-privilege controls for systems running AC2000.
• Inventory exposed or user-accessible AC2000 installations and prioritize remediation on those hosts.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-125-05 / CVE-2026-21661, published and modified on 2026-05-05. The advisory states: 'The affected product is vulnerable to DLL hijacking, which could allow an attacker to escalate standard user privileges on the host machine.' The remediation section lists version-specific upgrades for CEM AC2000 12.0, 11.0, and 10.6. No KEV listing was included in the supplied corpus.

Official resources