CVE-2026-21661 Overview
CVE-2026-21661 is an Uncontrolled Search Path Element vulnerability [CWE-427] affecting Johnson Controls AC2000 access control software on Windows. The flaw lets a local authenticated attacker manipulate configuration file search paths to load attacker-controlled resources. Successful exploitation can lead to high-impact compromise of confidentiality and integrity on the host running AC2000.
The issue affects AC2000 versions from 10.6 before release 10, from 11.0 before release 9, and from 12 before release 3. Johnson Controls has published guidance through its security advisory portal.
Critical Impact
A local attacker with low privileges can leverage manipulated search paths to execute attacker-controlled configuration or binaries within the AC2000 process context.
Affected Products
- Johnson Controls AC2000 versions 10.6 prior to release 10
- Johnson Controls AC2000 versions 11.0 prior to release 9
- Johnson Controls AC2000 versions 12 prior to release 3
Discovery Timeline
- 2026-05-06 - CVE-2026-21661 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-21661
Vulnerability Analysis
The vulnerability stems from Johnson Controls AC2000 resolving configuration file paths through an uncontrolled search sequence on Windows. When the application loads configuration data, it consults directories that a low-privileged local user can write to or influence. An attacker who places a crafted configuration file along that search path forces AC2000 to read attacker-controlled values.
Because AC2000 is an enterprise access control product, modified configuration data can alter authentication logic, redirect logging, or change paths to dependent binaries. The CVSS vector indicates a local attack with low complexity and low privileges, no user interaction, and high impact to confidentiality and integrity.
Root Cause
The root cause is improper restriction of the search path used to locate configuration resources, classified under [CWE-427] Uncontrolled Search Path Element. The application relies on relative paths or insecure directory ordering rather than absolute, ACL-protected locations. This permits planted files in user-writable directories to take precedence over legitimate configuration sources.
Attack Vector
Exploitation requires local access with valid low-privileged credentials on the Windows host running AC2000. The attacker writes a malicious configuration file or library to a directory that appears earlier in the AC2000 search order. When the AC2000 service or component subsequently reads configuration, it loads the attacker-supplied data, granting control over application behavior in a higher-privileged context.
No verified public exploit code is available for CVE-2026-21661. Refer to the Johnson Controls Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2026-21661
Indicators of Compromise
- Unexpected configuration files appearing in directories along the AC2000 search path, especially in user-writable locations
- New or modified DLLs or .ini/.cfg files within AC2000 working directories not matching vendor-shipped hashes
- AC2000 processes reading configuration from non-standard paths recorded in Sysmon Event ID 11 (FileCreate) or Event ID 1 (ProcessCreate)
- Anomalous child processes spawned by AC2000 service accounts following configuration reload
Detection Strategies
- Baseline the legitimate AC2000 installation directory contents and alert on file additions or modifications outside vendor updates
- Monitor file system access by AC2000 service binaries using endpoint telemetry to flag reads from unexpected directories
- Hunt for low-privileged users writing files into directories shared with AC2000 components
- Correlate file creation events with subsequent AC2000 service restarts or configuration reloads
Monitoring Recommendations
- Enable Windows Security auditing for object access on AC2000 install paths and parent directories
- Forward Sysmon and Windows Event Logs to a centralized SIEM for path-traversal and DLL-loading analytics
- Track integrity of AC2000 configuration files using file integrity monitoring tools with cryptographic hashing
- Alert on AC2000 processes loading modules from non-system, non-vendor directories
How to Mitigate CVE-2026-21661
Immediate Actions Required
- Upgrade AC2000 to release 10 for the 10.6 branch, release 9 for the 11.0 branch, or release 3 for the 12 branch
- Restrict interactive and remote logon rights on AC2000 hosts to a minimal set of administrators
- Apply NTFS ACLs that prevent non-administrative users from writing to any directory the AC2000 service reads
- Audit existing AC2000 directories for unauthorized files prior to applying updates
Patch Information
Johnson Controls has released fixed versions addressing the uncontrolled search path behavior. Consult the Johnson Controls Security Advisory for download links, release notes, and verification hashes for each affected branch.
Workarounds
- Run AC2000 services under a dedicated, least-privileged service account isolated from interactive users
- Place AC2000 hosts on a segmented management network with restricted local logon access
- Apply application allowlisting to prevent execution of unsigned binaries from AC2000 working directories
- Enable Windows Defender Application Control or AppLocker policies to enforce trusted load paths
# Configuration example
# Restrict write access on AC2000 directories to administrators and SYSTEM
icacls "C:\Program Files\AC2000" /inheritance:r
icacls "C:\Program Files\AC2000" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
