Cyber Resilience

CVE-2026-21661

High

Published: 06 May 2026

Published
06 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 1.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21661 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Johnsoncontrols (inferred from references). Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths. This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Why these techniques?

CWE-427 uncontrolled search path directly enables search order hijacking for malicious file loading.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Johnsoncontrols
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References