---
title: "Critical Vulnerabilities in Johnson Controls Frick Quantum HD Demand Immediate Action"
short_title: "Johnson Controls Frick Quantum HD critical flaws"
description: "Six critical vulnerabilities in Johnson Controls Frick Quantum HD enable remote code execution, data leaks, and DoS attacks. Upgrade to Quantum HD Unity now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [johnson-controls, cve-2026, rce, cybersecurity, industrial-security]
score: 0.87
cve_ids: [CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660]
---
TL;DR
Johnson Controls Frick Quantum HD systems are affected by six critical vulnerabilities, including pre-authentication remote code execution (RCE), information leaks, and denial-of-service (DoS) risks. These flaws impact versions 10.22 and earlier, with a CVSS score of 9.1 for the most severe issues. Organizations must upgrade to Quantum HD Unity (v12+) and apply hardening measures to mitigate risks.
---
Main Content
Introduction
Johnson Controls, a global leader in smart building solutions, has disclosed six critical vulnerabilities in its Frick Controls Quantum HD systems. These flaws, if exploited, could allow attackers to execute remote code, leak sensitive information, or disrupt operations—without requiring authentication. Given the widespread deployment of these systems in food and agriculture sectors, the implications for industrial security are severe. Immediate action is required to patch and secure affected devices.
---
Key Points
- Six critical vulnerabilities affect Frick Controls Quantum HD versions ≤10.22, enabling pre-authentication RCE, information leaks, and DoS attacks.
- Highest CVSS score: 9.1 (Critical), with vulnerabilities tied to OS command injection, code injection, path traversal, and hardcoded credentials.
- Affected sectors: Primarily food and agriculture, with global deployment across critical infrastructure.
- Recommended fix: Upgrade to Quantum HD Unity (v12+) and apply hardening guides to mitigate risks.
- No known exploitation has been reported yet, but proactive measures are essential to prevent future attacks.
---
Technical Details
#### Vulnerability Breakdown
The vulnerabilities in Frick Controls Quantum HD are categorized as follows:
1. CVE-2026-21654
- Type: OS Command Injection (CWE-78)
- CVSS Score: 9.1 (Critical)
- Impact: Allows unauthenticated attackers to execute arbitrary commands on the device.
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`
2. CVE-2026-21656, CVE-2026-21657, CVE-2026-21658
- Type: Code Injection (CWE-94)
- CVSS Score: 9.1 (Critical)
- Impact: Enables attackers to inject malicious code, leading to pre-authentication RCE or system compromise.
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`
3. CVE-2026-21659
- Type: Relative Path Traversal (CWE-23)
- CVSS Score: 7.5 (High)
- Impact: Allows unauthenticated attackers to access sensitive files or directories.
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
4. CVE-2026-21660
- Type: Plaintext Storage of Passwords (CWE-256)
- CVSS Score: 6.2 (Medium)
- Impact: Hardcoded credentials enable unauthorized access, exposing sensitive data.
- Vector: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
---
Impact Assessment
The vulnerabilities pose significant risks to organizations using Frick Controls Quantum HD:
- Remote Code Execution (RCE): Attackers can gain full control of affected systems, leading to data theft, sabotage, or lateral movement within networks.
- Information Leaks: Sensitive data, including credentials and system configurations, may be exposed.
- Denial-of-Service (DoS): Exploitation could disrupt operations, particularly in food and agriculture sectors where uptime is critical.
- Compliance Risks: Failure to patch may result in regulatory violations, especially in industries subject to strict cybersecurity standards.
---
Mitigation Steps
Johnson Controls has provided the following recommendations to address these vulnerabilities:
1. Upgrade to Quantum HD Unity (v12+)
- Legacy versions (10.22–11) are end-of-support and must be replaced.
- Follow the [official update procedure](https://frickcontrolsblob.file.core.windows.net/frickweb1/Quantum-HD-Unity/Quantum_HD_Unity_Software_Update_Procedure.pdf).
2. Apply Hardening Measures
- After upgrading, ensure compliance with the Quantum HD Unity hardening guide.
- Implement recommended security configurations to reduce attack surfaces.
3. Network Segmentation
- Isolate control system networks from business networks using firewalls.
- Restrict remote access to VPNs and ensure they are updated to the latest version.
4. Monitor for Exploitation
- Deploy intrusion detection systems (IDS) to identify suspicious activity.
- Report any suspected incidents to CISA or relevant authorities.
For detailed mitigation instructions, refer to the [Johnson Controls Product Security Advisory JCI-PSA-2026-05](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories).
---
Affected Systems
- Product: Johnson Controls Frick Controls Quantum HD
- Versions: ≤10.22
- Sectors: Food and Agriculture
- Deployment: Worldwide
- Vendor Headquarters: Ireland
---
Conclusion
The discovery of six critical vulnerabilities in Johnson Controls Frick Quantum HD underscores the urgent need for organizations to upgrade to Quantum HD Unity (v12+) and implement robust security measures. While no exploitation has been reported, the potential for remote code execution, data leaks, and DoS attacks demands immediate action. By following Johnson Controls' recommendations and adopting proactive cybersecurity strategies, organizations can safeguard their critical infrastructure from emerging threats.
---
References
[^1]: CISA. "[ICSA-26-057-01: Johnson Controls, Inc. Frick Controls Quantum HD](https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01)". Retrieved 2024-10-02.
[^2]: Johnson Controls. "[Product Security Advisory JCI-PSA-2026-05](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories)". Retrieved 2024-10-02.
[^3]: MITRE. "[CWE-78: Improper Neutralization of Special Elements used in an OS Command](https://cwe.mitre.org/data/definitions/78.html)". Retrieved 2024-10-02.
[^4]: MITRE. "[CWE-94: Improper Control of Generation of Code](https://cwe.mitre.org/data/definitions/94.html)". Retrieved 2024-10-02.