Johnson Controls CEM AC2000

Plan PatchCVSS 8.7ICS-CERT ICSA-26-125-05May 5, 2026

Johnson Controls

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A privilege escalation vulnerability in Johnson Controls CEM AC2000 versions 10.6, 11.0, and 12.0 allows a standard user to escalate to higher privileges on the host machine. Successful exploitation could enable an attacker to gain administrative control over the building automation system, including HVAC, lighting, fire, and access control functions. Johnson Controls has released patched versions: 12.0 Release 10, 11.0 Release 9, and 10.6 Release 3.

What this means

What could happen

A user with standard privileges on a system running CEM AC2000 could escalate to higher permissions, potentially gaining control over building automation functions like HVAC, lighting, or access control systems.

Who's at risk

Building managers and facility operators using Johnson Controls CEM AC2000 for HVAC, lighting, fire suppression, or access control systems. This affects any organization running version 10.6, 11.0, or 12.0 of this central energy management platform.

How it could be exploited

An attacker with local access to a Windows or server system running CEM AC2000 can exploit a privilege escalation flaw to run arbitrary code with administrator-level permissions. This could allow modification of building automation setpoints, disabling safety controls, or disrupting facility operations.

Prerequisites

Local user account on the system running CEM AC2000
Standard (non-administrator) user privileges

requires local user access to exploitallows privilege escalation to administrative levelaffects building automation and safety systemsCVSS 8.7 - high severity

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

CEM AC2000: 12.012.0No fix yet

CEM AC2000: 11.011.0No fix yet

CEM AC2000: 10.610.6No fix yet

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CEM AC2000 12.0 to Release 10

HOTFIXUpgrade CEM AC2000 11.0 to Release 9

HOTFIXUpgrade CEM AC2000 10.6 to Release 3

Long-term hardening

0/1

HARDENINGRestrict local access to CEM AC2000 systems to authorized personnel only; limit user account privileges to non-administrative where operationally feasible

CVEs (1)

CVE-2026-21661

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ce5e888c-01a2-4dab-ac40-b354f4943d78

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.