Description
Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths.

This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3.
Published: 2026-05-06
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JohnsonControls AC2000 on Windows contains an Uncontrolled Search Path Element vulnerability that allows an attacker to manipulate the configuration file search paths, potentially causing the system to load malicious components or execute arbitrary code. This flaw is classified as CWE-427 and represents a serious security risk.

Affected Systems

The vulnerability affects JohnsonControls AC2000 devices running version 10.6 prior to release 10, version 11.0 prior to release 9, and version 12 prior to release 3. All affected systems operate on Windows platforms.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity, while the EPSS score is not available and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is local or remote via manipulation of the system’s executable search path, which could allow privilege escalation or remote code execution if an attacker gains sufficient access to the configuration files or can inject malicious code into the search path. Given the high CVSS score and the absence of active exploitation data, the risk remains significant but no confirmed exploitation has been reported.

Generated by OpenCVE AI on May 6, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest JohnsonControls AC2000 update that removes the uncontrolled search path element flaw.
  • If no update is available, reconfigure the system to disable dynamic search paths for executables and libraries, ensuring only trusted directories are used, and protect configuration files from unauthorized modifications.
  • Additionally, restrict administrative privileges to a minimum set of necessary users and monitor configuration files for changes to detect tampering promptly.

Generated by OpenCVE AI on May 6, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths. This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3.
Title AC2000 Uncontrolled Search Path Element
First Time appeared Johnsoncontrols
Johnsoncontrols ac2000
Weaknesses CWE-427
CPEs cpe:2.3:a:johnsoncontrols:ac2000:*:*:windows:*:*:*:*:*
Vendors & Products Johnsoncontrols
Johnsoncontrols ac2000
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Johnsoncontrols Ac2000
cve-icon MITRE

Status: PUBLISHED

Assigner: jci

Published:

Updated: 2026-05-06T19:02:28.291Z

Reserved: 2026-01-02T13:23:28.170Z

Link: CVE-2026-21661

cve-icon Vulnrichment

Updated: 2026-05-06T19:02:23.363Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T17:16:21.890

Modified: 2026-05-06T19:05:56.337

Link: CVE-2026-21661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:45:06Z

Weaknesses