OTPulse
FeedAboutContact

Johnson Controls Controlled Electronic Management Systems CEM Systems AC2000

Plan Patch8.2ICS-CERT ICSA-21-238-01Aug 26, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls CEM Systems AC2000 versions 10.1 through 10.5 contain an authorization bypass vulnerability (CWE-285) that allows a remote attacker to gain access without adequate credentials or authentication. Under specific conditions, an attacker with network access can exploit insufficient authorization checks to access the system. The vulnerability has a CVSS score of 8.2 (high severity) and an EPSS exploit probability of 0.7%. No known public exploits currently target this vulnerability.

What this means
What could happen
An attacker could gain unauthorized access to the CEM Systems AC2000 building automation platform without proper credentials, potentially allowing them to view or modify critical building systems like HVAC, lighting, or security controls.
Who's at risk
Building automation operators and facility managers who use Johnson Controls CEM Systems AC2000 for HVAC, lighting, and building security management. This includes municipal buildings, hospitals, office complexes, and any facility relying on AC2000 for climate control or access systems.
How it could be exploited
An attacker with network access to the CEM AC2000 system can send specially crafted requests to exploit insufficient authorization checks. This does not require authentication or user interaction, and the affected system will grant access if it is reachable over the network.
Prerequisites
  • Network access to the CEM AC2000 system or its management interface
  • No valid credentials required
remotely exploitableno authentication requiredlow complexityaffects building automation and control systems
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (1)
ProductAffected VersionsFix Status
CEM Systems AC2000:≥ 10.1 | ≤ 10.510.5 Server Feature Pack 2, 10.6, or later
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGSegment CEM AC2000 systems from the business network and place behind a firewall to block unauthorized network access
HARDENINGRestrict network exposure of the CEM AC2000 system so it is not accessible from the Internet or untrusted networks
WORKAROUNDIf remote access to CEM AC2000 is required, use a Virtual Private Network (VPN) with secure configuration and keep it updated
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply patch from Johnson Controls by contacting CEM support team to obtain fix for affected versions 10.1 through 10.5
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/61731f4d-cf4e-446c-99fc-a2d7c5dda55d
Johnson Controls Controlled Electronic Management Systems CEM Systems AC2000 | CVSS 8.2 - OTPulse