PT-2026-37659 · Johnson Controls · Ac2000
Published
2026-05-06
·
Updated
2026-05-06
·
CVE-2026-21661
CVSS v4.0
8.4
High
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
JohnsonControls AC2000 versions 10.6 through 10
JohnsonControls AC2000 versions 11.0 through 9
JohnsonControls AC2000 versions 12 through 3
Description
An uncontrolled search path element issue allows for the manipulation of configuration file search paths. This can be exploited via DLL hijacking—a technique where a malicious library is placed in a location where the application will load it—to escalate privileges and move laterally through critical infrastructure networks, including the manufacturing, energy, and government sectors.
Recommendations
For versions 10.6 through 10, update to release 10.
For versions 11.0 through 9, update to release 9.
For versions 12 through 3, update to release 3.
Implement runtime segmentation to contain lateral movement after a compromise.
Fix
Uncontrolled Search Path Element
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ac2000