{"api_version":"1","generated_at":"2026-05-13T15:17:59+00:00","cve":"CVE-2021-27663","urls":{"html":"https://cve.report/CVE-2021-27663","api":"https://cve.report/api/cve/CVE-2021-27663.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-27663","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-27663"},"summary":{"title":"CVE-2021-27663","description":"A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5.","state":"PUBLIC","assigner":"productsecurity@jci.com","published_at":"2021-08-30 18:15:00","updated_at":"2022-10-25 18:00:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://www.johnsoncontrols.com/cyber-solutions/security-advisories","name":"https://www.johnsoncontrols.com/cyber-solutions/security-advisories","refsource":"CONFIRM","tags":[],"title":"Product Security Advisories","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://us-cert.gov/ics/advisories/ICSA-21-238-01","name":"ICS-CERT Advisory","refsource":"CERT","tags":[],"title":"Johnson Controls Controlled Electronic Management Systems CEM Systems AC2000 | CISA","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-27663","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27663","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"27663","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"johnsoncontrols","cpe5":"ac2000","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"27663","vulnerable":"1","versionEndIncluding":"10.5","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"johnsoncontrols","cpe5":"ac2000_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"productsecurity@jci.com","DATE_PUBLIC":"2021-08-30T14:08:00.000Z","ID":"CVE-2021-27663","STATE":"PUBLIC","TITLE":"CEM Systems AC2000"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"CEM Systems AC2000","version":{"version_data":[{"version_affected":"<=","version_name":"10.1","version_value":"10.5"}]}}]},"vendor_name":"Johnson Controls"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-285: Improper Authorization"}]}]},"references":{"reference_data":[{"name":"https://www.johnsoncontrols.com/cyber-solutions/security-advisories","refsource":"CONFIRM","url":"https://www.johnsoncontrols.com/cyber-solutions/security-advisories"},{"name":"ICS-CERT Advisory","refsource":"CERT","url":"https://us-cert.gov/ics/advisories/ICSA-21-238-01"}]},"solution":[{"lang":"eng","value":"Apply a patch to all affected versions and implementations.\nThe fix will also be included in 10.5 Server Feature Pack 2, version 10.6 and all future releases.\nTo access the patch, affected users should contact their CEM support team:\nhttps://www.cemsys.com/support/technical-helpdesk/\n"}],"source":{"discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2021-08-30 18:15:00","lastModifiedDate":"2022-10-25 18:00:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9.3},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:johnsoncontrols:ac2000_firmware:*:*:*:*:*:*:*:*","versionStartIncluding":"10.1","versionEndIncluding":"10.5","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:johnsoncontrols:ac2000:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"27663","Ordinal":"202772","Title":"CVE-2021-27663","CVE":"CVE-2021-27663","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"27663","Ordinal":"1","NoteData":"A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"27663","Ordinal":"2","NoteData":"2021-08-30","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"27663","Ordinal":"3","NoteData":"2021-08-30","Type":"Other","Title":"Modified"}]}}}