Johnson Controls, Inc. Frick Controls Quantum HD

Act Now9.1ICS-CERT ICSA-26-057-01Feb 26, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Frick Controls Quantum HD versions 10.22 and earlier contain multiple pre-authentication remote code execution vulnerabilities (CWE-78, CWE-94, CWE-23, CWE-256) that can lead to remote code execution, information disclosure, or denial of service. The affected versions (10.22 through 11) are legacy platforms that have reached end of support. Johnson Controls recommends upgrading to Quantum HD Unity version 12 or higher. After upgrade, administrators must verify compliance with the hardening guide and apply all recommended security configurations as detailed in security advisory JCI-PSA-2026-05.

What this means

What could happen

An attacker could remotely execute commands on the Frick Controls Quantum HD system without authentication, potentially allowing them to alter chiller setpoints, disable safety interlocks, or stop critical cooling operations.

Who's at risk

Water utilities and commercial building operators using Frick Controls Quantum HD chillers for primary or secondary cooling loops. This includes most mid-size municipal water authorities and facilities with centralized chilled water systems. The vulnerability affects versions 10.22 and earlier, which are end-of-life but still in operation at many sites.

How it could be exploited

An attacker on the network can send a crafted request to the Quantum HD system (port 80/443 or internal services) to exploit command injection or code execution flaws, gaining pre-authentication remote code execution without needing valid credentials.

Prerequisites

Network reachability to the Frick Controls Quantum HD device on its management port
No valid credentials required for exploitation

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.1)no patch available for legacy versionsaffects safety and process controlend-of-life product

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Frick Controls Quantum HD: <=10.22≤ 10.22Quantum HD Unity version 12 or higher

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the Frick Controls Quantum HD management interface using firewall rules (only allow engineering workstations and authorized monitoring systems until upgrade is complete)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Frick Controls Quantum HD to Quantum HD Unity version 12 or higher following the vendor's upgrade procedure

HARDENINGAfter upgrade completion, apply all security configurations from the Johnson Controls hardening guide and security advisory JCI-PSA-2026-05

CVEs (6)

CVE-2026-21654 CVE-2026-21656 CVE-2026-21657 CVE-2026-21658 CVE-2026-21659 CVE-2026-21660

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/31c8eef5-658f-4a96-8554-00375f60b64d