On May 5, 2026, the U.S. Cybersecurity and Infrastructure Security Agency published advisory ICSA-26-125-05 disclosing a high-severity DLL hijacking vulnerability, tracked as CVE-2026-21661, in the Johnson Controls CEM AC2000 access control system. The flaw permits a standard local user to escalate privileges on the Windows host running the CEM AC2000 server software by placing a malicious dynamic-link library in a location that is searched by the application during DLL resolution. Johnson Controls has released remediated builds across all supported product lines, and CISA reports no known public exploitation of the issue at the time of publication.
CEM AC2000 is the on-premises server platform of the CEM Systems product family that manages physical access control, badge issuance, alarm monitoring, and door-controller fleets across enterprise, government, transportation, and critical-manufacturing sites. Successful exploitation of CVE-2026-21661 yields elevation from a standard authenticated user to the privileges held by the CEM AC2000 service account on the host, which in typical deployments runs with administrative or LocalSystem rights to interact with door controllers, badge databases, and certificate stores. While the vulnerability is not remotely exploitable and requires both prior network access and a valid local user account, it provides a deterministic stepping stone for an attacker who has obtained an initial foothold to take administrative control of the access-control server and, by extension, the physical security posture of the site.
The defect is classified under CWE-427 Uncontrolled Search Path Element, which CISA assigned a CVSS v3.1 base score of 8.7 (High) using the vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L and a CVSS v4.0 base score of 8.4 (High) using the vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N. The high score despite local-only access reflects the scope-changing impact (S:C) on the underlying host: a CEM AC2000 service account compromise typically enables tampering with door-access decisions, manipulation of badge holder records, alteration of audit trails, and interference with alarm and intrusion-detection logic, all of which carry significant safety, regulatory, and operational consequences for sites that depend on physical access control as a primary or supplementary security control.
CVE-2026-21661, with a CVSS v3.1 score of 8.7 and a CVSS v4.0 score of 8.4, is an uncontrolled search path element vulnerability in Johnson Controls CEM AC2000 server software where one or more application or supporting library calls resolve dynamic-link libraries through a search order that includes attacker-writable directories before the trusted system or installation paths. A standard authenticated user with the ability to write to one of those locations can stage a malicious DLL with a name matching a library that the AC2000 application or its dependencies load at startup, during operator login, or during a privileged subroutine, and the host process subsequently loads the malicious library and executes attacker-supplied code in its security context. The vulnerability affects CEM AC2000 12.0 prior to Release 10, CEM AC2000 11.0 prior to Release 9, and CEM AC2000 10.6 prior to Release 3, across all supported deployment topologies including standalone servers, redundant pairs, and distributed sites. Johnson Controls credits Tom Hulme of CSACyber for coordinated disclosure of the issue, and CISA has confirmed that no public exploitation of the issue has been reported. The exploitation prerequisite of a valid local user account on the AC2000 host limits opportunistic risk but does not reduce the severity of the issue in environments where AC2000 is administered by multiple users, where the host is shared with other workloads, or where an attacker has already obtained low-privileged access through phishing, supply-chain compromise, or chained exploitation of an unrelated vulnerability.
For organizations operating CEM AC2000, the operational impact of unmitigated exposure to CVE-2026-21661 extends beyond conventional IT compromise into the physical security domain because the service account on the access-control server typically holds the keys to door-controller programming, badge-data integrity, alarm acknowledgement, and operator audit trails. An attacker who escalates privileges on the AC2000 host can grant themselves persistent badge access, suppress or backdate audit records, disable individual door alarms or anti-passback controls, exfiltrate credential and biometric data, and, in many architectures, push tampered configuration to downstream door controllers; these effects translate directly into safety, theft, and regulatory consequences for facilities that rely on AC2000 as a primary or supplementary physical-access control. The attack window is meaningful even in well-segmented environments because access-control servers are often shared between corporate IT, facilities, and security-operations administrators, increasing the pool of standard local users who could chain this issue into a privilege-escalation foothold.
From a compliance and regulatory standpoint, exploitation or unmitigated presence of CVE-2026-21661 is reportable or remediation-tracked under several frameworks that govern critical-infrastructure operators and regulated facility owners, including NERC CIP-006 (physical security of BES Cyber Systems) and CIP-007 (system security management) for electric-sector entities, the Transportation Security Administration security directives that require timely remediation of known vulnerabilities in transportation operational systems, the EU NIS2 Directive for essential and important entities operating physical infrastructure, ISA/IEC 62443-3-3 system requirement SR 2.1 (authorization enforcement) for industrial automation and control systems, and HIPAA Security Rule physical safeguards where AC2000 protects facilities housing electronic protected health information. Even where formal reporting is not triggered, the vulnerability should be tracked through change-management and risk-acceptance processes because the remediation requires a coordinated server upgrade and a brief operational outage window during which door-controller communication may degrade.
Organizations operating Johnson Controls CEM AC2000 should plan to remediate CVE-2026-21661 during the next available maintenance window and apply the following actions in priority order:
1. Inventory every CEM AC2000 server and any redundant or distributed AC2000 host across the environment, identify the deployed major version (10.6, 11.0, or 12.0) and the current release level, and treat all hosts at a release below the fixed level as in-scope for remediation; include AC2000 hosts that share infrastructure with other workloads, since shared hosts widen the local-user attack surface.
2. Upgrade each affected host to the corresponding fixed release — CEM AC2000 12.0 Release 10, CEM AC2000 11.0 Release 9, or CEM AC2000 10.6 Release 3 — following Johnson Controls' published upgrade procedure, and stage the upgrade on a non-production redundant pair where available before promoting it to the primary site.
3. Until the upgrade can be completed, restrict local logon rights on each AC2000 host to the minimum set of administrators required to operate the system, audit and remove any standard-user accounts that do not have an active operational need to log onto the AC2000 host directly, and disable interactive Remote Desktop logon for all non-administrator accounts on the host.
4. Apply Windows file-system access controls to the CEM AC2000 installation directory and any subordinate program directories so that only the AC2000 service account and approved administrators have write access, validate that no world-writable or user-writable directories appear in the effective DLL search path of the AC2000 process tree, and remove any unnecessary entries from the system PATH environment variable that point to user-writable locations.
5. Enable application allow-listing or DLL whitelisting (Microsoft AppLocker, Windows Defender Application Control, or an equivalent EDR-enforced policy) on each AC2000 host to prevent unsigned or unexpected DLLs from being loaded by the AC2000 service or its child processes, and stream module-load events from the host into the SIEM for the duration of the remediation window so that any anomalous DLL load can be detected and triaged.
These five steps reduce the practical exploitability of CVE-2026-21661 prior to patching, accelerate the supported remediation, and provide detection coverage in the period between disclosure and operational rollout.
1898 & Co. has reviewed CISA advisory ICSA-26-125-05 and the corresponding Johnson Controls product advisory and has added CEM AC2000 to the priority watchlist used by our Managed Threat Protection and Response team for client environments where the access-control system is in scope. We are tuning detections to surface anomalous DLL loads, unexpected process trees rooted in AC2000 services, and standard-user write activity into the AC2000 installation directory, and we will issue tailored guidance to clients whose asset inventories include affected versions.
Our consulting practice has long incorporated physical-access control servers into industrial perimeter and OT-DMZ assessments, and we are using the disclosure as a prompt to revisit installation-path permissions, service-account hygiene, and operator-account scoping for AC2000 deployments under our care. We are coordinating with clients in regulated sectors — electric, oil and gas, water, transportation, and government services — to align upgrade scheduling with maintenance windows, ISA/IEC 62443 lifecycle reviews, and applicable physical-security regulatory obligations.
Clients with active retainers should engage their assigned 1898 & Co. consultant to confirm the AC2000 inventory, validate fixed-release deployment plans, review host-level local-logon rights and DLL search-path hygiene, and schedule a hunt for any pre-patch indicators of compromise. Clients without an active retainer who require emergency support can contact 1898 & Co. directly to engage rapid assessment, hardening, or threat-hunting services on a project basis.
1. CISA ICS Advisory ICSA-26-125-05 — Johnson Controls CEM AC2000