You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
cem ac2000
About this tag
The CEM AC2000 access control system from Johnson Controls is the subject of a high-severity DLL hijacking vulnerability, CVE-2026-21661, affecting versions 10.6, 11.0, and 12.0. Republished by CISA in May 2026, the advisory warns that a standard local user can exploit this flaw to escalate privileges on the host machine. While the attack requires local access and no remote exploitation has been reported, the risk is significant in physical security environments where CEM AC2000 runs on Windows endpoints. The vulnerability highlights the intersection of Windows endpoint hygiene, building security, and industrial control risk, making it a critical concern for enterprise IT and security teams managing access control systems.
CISA on May 5, 2026 republished a Johnson Controls advisory warning that CEM AC2000 versions 10.6, 11.0, and 12.0 contain a high-severity DLL hijacking flaw, CVE-2026-21661, that can let a standard local user escalate privileges on the host machine. That sentence sounds narrow, almost...