Johnson Controls Quantum HD Unity

Act Now10ICS-CERT ICSA-23-313-01Nov 9, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls Quantum HD Unity control panels contain an exposed debug feature accessible without authentication that could allow unauthorized access. The vulnerability affects multiple panel types across the Quantum HD Unity HVAC/refrigeration control system: Compressor, AcuAir, Condenser/Vessel, Evaporator, Engine Room, and Interface panels in both Q5 and Q6 generations.

What this means

What could happen

An attacker with network access to a Quantum HD Unity control panel could access debug features and potentially read, modify, or disrupt refrigeration/HVAC process control, leading to loss of temperature control, equipment shutdown, or operational failure in data centers, hospitals, or industrial facilities.

Who's at risk

Data centers, hospitals, industrial refrigeration facilities, and any organization operating Johnson Controls Quantum HD Unity HVAC or refrigeration control systems. All six panel types (Compressor, AcuAir, Condenser/Vessel, Evaporator, Engine Room, Interface) in both Q5 and Q6 hardware generations are affected. Critical for climate-controlled environments where loss of temperature control could damage equipment or products.

How it could be exploited

An attacker connects to the Quantum HD Unity control panel over the network and accesses exposed debug features without supplying credentials. From debug access, the attacker could view or modify process parameters, sensor readings, or control logic governing refrigeration or HVAC operation.

Prerequisites

Network access to the Quantum HD Unity control panel (direct or via compromised plant network)
No authentication required to access debug features
Device must be running firmware version below 11.22 (Q5) or 12.22 (Q6) depending on panel type

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (10.0)All panel types vulnerableNo patch available yet for most installations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (12)

12 with fix

ProductAffected VersionsFix Status

Quantum HD Unity Compressor control panels (Q5): <11.22<11.2211.22

Quantum HD Unity Compressor control panels (Q6): <12.22<12.2212.22

Quantum HD Unity AcuAir control panels (Q5): <11.12<11.1211.12

Quantum HD Unity Condenser/Vessel control panels (Q5): <11.11<11.1111.11

Quantum HD Unity Condenser/Vessel control panels (Q6): <12.11<12.1112.11

Quantum HD Unity Evaporator control panels (Q5): <11.11<11.1111.11

Quantum HD Unity Evaporator control panels (Q6): <12.11<12.1112.11

Quantum HD Unity Engine Room control panels (Q5): <11.11<11.1111.11

Remediation & Mitigation

0/8

Do now

0/1

HARDENINGEnsure Quantum HD Unity panels are not accessible from the internet; remove any direct internet routes or exposed management interfaces

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Quantum HD Unity Compressor control panels to firmware version 11.22 (Q5) or 12.22 (Q6)

HOTFIXUpdate Quantum HD Unity AcuAir control panels to firmware version 11.12 (Q5) or 12.12 (Q6)

HOTFIXUpdate Quantum HD Unity Condenser/Vessel control panels to firmware version 11.11 (Q5) or 12.11 (Q6)

HOTFIXUpdate Quantum HD Unity Evaporator control panels to firmware version 11.11 (Q5) or 12.11 (Q6)

HOTFIXUpdate Quantum HD Unity Engine Room control panels to firmware version 11.11 (Q5) or 12.11 (Q6)

HOTFIXUpdate Quantum HD Unity Interface control panels to firmware version 11.11 (Q5) or 12.11 (Q6)

Long-term hardening

0/1

HARDENINGIsolate Quantum HD Unity control panel networks from the business network and restrict network access using firewalls

CVEs (1)

CVE-2023-4804

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/89457555-bd4f-4b02-95ee-060370ed031e