Johnson Controls has announced the detection of a remote access vulnerability on the software that powers its enterprise grade access control system CEM AC2000 Security Management System. The access control system is in use at major installation points like airports. The vulnerability allows a remote attacker to access the AC2000 system without authorization.

What is the remote access vulnerability on AC2000 systems of Johnson Controls?
The vulnerability is being handled under CVE-2021-27663. It was first reported to the company in the month of February. Public announcement of the vulnerability happened on 26th August, 2021. The NIST site considers this as a CRITICAL vulnerability with a base score of 9.8. The CVSS score of the vulnerability is 9.3, thus assuming a CRITICAL status in terms of CVE rating of the vulnerability. The vulnerability is of the type ‘Incorrect authorization’.
As per the details shared for the vulnerability, the brief description states –
A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5.
Johnson Controls has released a security update on this vulnerability on 26th August 2021. It has clarified in the security release update that states:
This vulnerability applies only to users who have implemented Single Sign On (SSO) and have installed the AC2000 Application Programming Interface (API).
What is the mitigation for CVE-2021-27663?
The fix for the vulnerability lies in applying a patch on the system. The vendor has issued mitigation steps that outline the following approach:
- Apply a patch to all affected versions and implementations
- The fix will also be included in 10.5 Server Feature Pack 2, version 10.6, and all future releases
- To access the patch, affected users should contact their CEM support team
Summary
The remote access vulnerability has a critical impact for infrastructure, and needs to be patched on an immediate basis. We suggest talking to your Johnson Controls support team to work on the upgrade or patching of the affected access control systems.
More details can be found on the security update released by Johnson Controls.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.