Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
CISA Alerts on Exploited macOS and iOS Vulnerabilities
March 9, 2026
Rewterz
Iranian APTs Target Critical Infrastructure Amid Conflict – Active IOCs
March 9, 2026

ICS: Multiple Johnson Controls Frick Controls Quantum HD Vulnerabilities

Severity

High

Analysis Summary

CVE-2026-21660 CVSS:9.8

Hardcoded Email Credentials Saved as Plaintext in Firmware (Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise

CVE-2026-21658 CVSS:9.8

Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code Injection vulnerability in Johnson Controls Frick Controls Quantum HD. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.

CVE-2026-21657 CVSS:9.8

Improper Control of Generation of Code Injection vulnerability in Johnson Controls Frick Controls Quantum HD. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.

CVE-2026-21656 CVSS:9.8

Improper Control of Generation of Code Injection vulnerability in Johnson Controls Frick Controls Quantum HD. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.

CVE-2026-21654 CVSS:9.8

Improper Neutralization of Special Elements used in an OS Command Injection vulnerability in Johnson Controls Frick Controls Quantum HD. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.

CVE-2026-21659 CVSS:9.8

Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise.

Impact

  • Gain Access
  • Code Execution
  • Information Disclosure

Indicators of Compromise

CVE

  • CVE-2026-21660
  • CVE-2026-21658
  • CVE-2026-21657
  • CVE-2026-21656
  • CVE-2026-21654
  • CVE-2026-21659

Affected Vendors

Johnson Controls

Affected Products

  • Johnson Controls Frick Controls Quantum HD 10.22

Remediation

Refer to Johnson Controls Security Advisory for patch, upgrade, or suggested workaround information.

Johnson Controls Security Advisory