CISA republished a security advisory on May 5, 2026, amplifying a warning from Johnson Controls about a high-severity DLL hijacking vulnerability in its CEM AC2000 access control system. Tracked as CVE-2026-21661, the flaw resides in versions 10.6, 11.0, and 12.0 of the software, allowing a standard local user to execute arbitrary code with elevated privileges on Windows machines. The republishing signals that federal agencies and critical infrastructure operators must prioritize patching this actively exploited weakness.

Johnson Controls’ CEM AC2000 is a widely deployed physical access control solution used by governments, military installations, data centers, and corporate campuses to manage entry points, badge readers, and alarm monitoring. The software runs on Windows servers and workstations, integrating with door controllers and biometric devices. Its ubiquity in sensitive environments makes any privilege escalation flaw a serious concern—an attacker with low-level access to a front-desk computer, for example, could exploit this bug to seize SYSTEM-level control.

The Vulnerability at a Glance

CVE-2026-21661 is a classic DLL hijacking vulnerability, classified under CWE-427 (Uncontrolled Search Path Element). The application loads dynamic-link libraries from an unsecure location without proper validation, allowing an attacker to place a malicious DLL in a directory ahead of the legitimate one in the search order. The advisory states that the flaw can be triggered by a standard local user—someone with limited Windows credentials—to escalate privileges and run code in the context of the high-privilege service or process that loads the tampered DLL.

Johnson Controls’ own advisory indicates that the vulnerable component is part of the AC2000 client-server architecture. The software’s setup creates directories with weak permissions, and its legacy code fails to specify absolute paths for critical libraries. When the application or one of its background services starts, Windows searches a predefined list of folders for required DLLs. If an attacker has write access to any of these folders—often the case in poorly configured per-user directories—they can plant a crafted DLL named identically to the expected file. The next time the service restarts or the user logs in, the malicious DLL loads and executes.

How DLL Hijacking Unfolds on Windows

DLL hijacking is not new—Microsoft has documented it since Windows XP—but it remains a persistent attack vector because developers overlook secure coding practices. Windows follows a specific search order when loading DLLs: first, the directory of the application executable; then the current working directory; then the system directories (System32, Windows); and finally directories listed in the PATH environment variable. If an attacker can drop a rogue DLL into the current working directory or a PATH-accessible folder, they can redirect execution.

For CEM AC2000, the advisory suggests that the flaw lies in how the software handles third-party dependencies or updates. Many older access control systems use auto-update mechanisms that launch child processes in temporary folders with lax ACLs. A standard user—perhaps a receptionist or contractor with minimal domain privileges—could copy a weaponized DLL into %TEMP% or a shared folder, then trigger a software restart (e.g., by disconnecting a reader, or waiting for an automated maintenance cycle). The malicious code then inherits the security token of the AC2000 service, which typically runs as SYSTEM or a privileged service account. From there, the attacker can disable alarms, unlock doors, install keyloggers, or move laterally across the network.

Impact and Real-World Risk

The CVE’s high-severity rating reflects more than just the ease of exploitation. DLL hijacking does not require phishing, memory corruption, or social engineering—just file-write access and patience. In a corporate environment, many workstations are configured with standard user accounts, yet users often have write access to shared folders, Temp directories, or application-specific cache paths. A malicious insider or a remote attacker who first compromises a low-privilege account via separate means (e.g., spear-phishing for domain credentials) could then use this vulnerability to break out of the restricted sandbox.

Because CEM AC2000 controls physical access, the stakes are magnified. An attacker with SYSTEM rights on the access control server can manipulate door schedules, disable intrusion detection, or lock security personnel out of command centers. In a worst-case scenario, an adversary could grant themselves persistent physical access to sensitive areas. CISA’s decision to republish the advisory—rather than just issuing a new one—suggests that either the initial notice did not get adequate attention, or that exploitation has been observed in the wild. The agency has not released details on active campaigns, but the timeline implies that Johnson Controls first disclosed the flaw privately or in a limited advisory, and CISA’s May 5 republication elevates it to a broader audience.

CISA’s Known-Exploited Vulnerability Connection

CISA maintains a Known Exploited Vulnerabilities (KEV) catalog, a list of flaws that federal agencies must patch within strict deadlines. While CVE-2026-21661 is not yet listed in the KEV, the republication puts it on a short track. CISA’s alert format follows the Common Security Advisory Framework (CSAF) and typically includes a CVSS score, affected products, and mitigation guidance. The fact that this is a “republication” indicates that Johnson Controls may have updated their advisory—perhaps with additional affected versions, a higher severity rating, or new mitigation steps—and CISA is re-amplifying the message.

Organizations using CEM AC2000 should treat this alert with the same urgency as a KEV designation. The U.S. Cybersecurity & Infrastructure Security Agency rarely republishes vendor advisories without cause; the move hints that the vulnerability is being actively targeted or is of such high impact that compliance deadlines are imminent. Critical infrastructure sectors (energy, water, transportation, and defense) that run AC2000 must inventory their deployments immediately.

Affected Versions and Patch Status

The advisory lists three affected versions:

  • CEM AC2000 10.6
  • CEM AC2000 11.0
  • CEM AC2000 12.0

Johnson Controls has released patches for each affected stream. The updated builds enforce secure DLL loading by:
- Using absolute paths for all critical libraries.
- Calling SetDllDirectory() or LoadLibraryEx() with the LOAD_LIBRARY_SEARCH_SYSTEM32 flag to restrict search orders.
- Applying stricter ACLs on installation directories so that unprivileged users cannot write to locations scanned during DLL loading.

Administrators should verify the patch revision numbers in the vendor’s download portal. Johnson Controls’ advisory (designated JCI-PSA-2026-07) notes that the fix is backward-compatible with existing configurations. No hotfix workarounds are provided; the only mitigation is to install the update.

Beyond the Patch: Hardening Windows Against DLL Hijacking

While applying the vendor patch is the primary defense, Windows administrators can take additional steps to block DLL hijacking attempts system-wide:

  • Enable Safe DLL Search Mode via the registry key HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode. When set to 1, it moves the current working directory lower in the search order, limiting trivial hijacks.
  • Use application whitelisting tools like Windows Defender Application Control (WDAC) or AppLocker to restrict which DLLs can be loaded by sensitive processes.
  • Audit file system permissions on directories listed in the PATH variable and temporary folders. Remove write access for standard users wherever possible.
  • Deploy the Microsoft Sysinternals tool Process Monitor to identify processes that attempt to load DLLs from user-writable locations, helping uncover latent hijacking vectors.
  • Consider running access control applications in dedicated, minimal-privilege service accounts rather than SYSTEM, reducing the blast radius if exploitation occurs.

These measures cannot replace the patch, but they add defense-in-depth, especially in environments where legacy software must coexist with modern security posture.

Broader Implications for Physical Security Systems

CVE-2026-21661 is a reminder that physical access control systems often run on general-purpose Windows OSes and share the same software supply-chain risks as any other enterprise application. Many organizations treat these systems as black boxes and neglect regular patching, leaving them exposed for years. The convergence of IT and operational technology (OT) means a compromise born in a Windows DLL can ripple into physical harm.

In 2026, the threat landscape demands that physical security integrators adopt the same secure development lifecycle practices expected of business software vendors. Johnson Controls’ swift patch release is commendable, but the recurrence of DLL hijacking—a vulnerability class that has been well-understood for two decades—raises questions about code maturity. Security researchers and red teams should continue probing these systems, and vendors must embrace mandatory code signing, strong naming, and sandboxing for their Windows components.

What Should Adminstrators Do Now?

  1. Identify all instances of CEM AC2000 in your environment. Check not just primary servers but also client workstations used for badge enrollment or monitoring. Version numbers can be retrieved from the “About” dialog or the registry.
  2. Download the appropriate patch from Johnson Controls’ secure portal. Verify the digital signature of the installer.
  3. Test the patch in a non-production environment, confirming that door controllers, alarms, and integration modules still function.
  4. Deploy the update during a scheduled maintenance window, and restart all related services.
  5. Monitor event logs for unusual DLL load errors or unexpected process creation related to AC2000. Use a SIEM rule to alert on any loading of DLLs from non-standard paths (e.g., %TEMP%, %APPDATA%).
  6. If immediate patching is not possible, isolate the AC2000 system on a VLAN with no egress internet access, and revoke write privileges of standard users to the installation directory and its subfolders.

A Pattern of Overlooked Access Control Vulnerabilities

CVE-2026-21661 is not an isolated incident. In recent years, multiple access control platforms from major vendors have been found to contain privilege escalation flaws, hardcoded credentials, or insecure deserialization bugs. Just last year, a competitor’s badge management system was found to load DLLs from a network share without validation, allowing any domain user to compromise the server. These patterns highlight a systemic underinvestment in security testing for physical security software.

CISA’s involvement, while reactive, is forcing the industry’s hand. By amplifying vendor advisories and pushing organizations toward faster remediation, the agency is raising the floor for what constitutes acceptable security hygiene. For Windows-centric networks, the message is clear: treat your access control servers as Tier 0 assets, and patch them with the same rigor as domain controllers.

Conclusion

The republication of CVE-2026-21661 by CISA should serve as a wake-up call for any organization running Johnson Controls’ CEM AC2000. A local user with minimal privileges can weaponize a misplaced DLL to gain total control of a system that governs physical entry points—a nightmare scenario for security teams. The vendor has delivered patches, and the path to remediation is straightforward. Yet the deeper lesson is that Windows DLL hijacking remains a live threat in 2026, particularly in specialized software that often escapes routine vulnerability management. Apply the patch, tighten file permissions, and audit your access control infrastructure. The gap between IT and physical security is only as strong as the weakest DLL.