Johnson Controls, Inc. Frick Controls Quantum HD

Plan PatchCVSS 9.1ICS-CERT ICSA-26-057-01Feb 26, 2026

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Frick Controls Quantum HD versions 10.22 through 11 contain pre-authentication remote code execution vulnerabilities (CWE-78 command injection, CWE-94 code injection, CWE-23 path traversal, CWE-256 plaintext credentials) that allow an unauthenticated remote attacker to execute arbitrary commands, leak information, or cause denial of service. These versions are legacy products that have reached end of support. Johnson Controls recommends upgrading to Quantum HD Unity version 12 or higher and applying all hardening configurations.

What this means

What could happen

An attacker with network access to the Quantum HD control system can execute arbitrary code without authentication, potentially altering refrigeration or HVAC process setpoints, stopping operations, or exfiltrating configuration and sensor data.

Who's at risk

This affects facilities using Frick Controls Quantum HD for refrigeration and HVAC management, including cold storage warehouses, data centers, supermarkets, and building climate control systems. Any facility running Quantum HD versions 10.22 through 11 is at risk.

How it could be exploited

An attacker sends a specially crafted network request to the Quantum HD system on port 443 (or the configured management port). The vulnerability allows code injection without requiring valid credentials, enabling remote execution of arbitrary commands on the control device.

Prerequisites

Network access to the Quantum HD management interface (typically port 443)
No authentication required

remotely exploitableno authentication requiredlow complexitycritical CVSS (9.1)pre-authentication RCElegacy end-of-life productaffects process control systems

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

Frick Controls Quantum HD: <=10.22≤ 10.22Quantum HD Unity version 12 or higher

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the Quantum HD management interface to authorized engineering workstations and monitoring systems only using firewall rules

WORKAROUNDDisable remote management access to Quantum HD systems if not actively required for operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Frick Controls Quantum HD to Quantum HD Unity version 12 or higher using the official update procedure

HARDENINGAfter upgrade to version 12, apply all hardening configurations detailed in the Johnson Controls hardening guide

CVEs (6)

CVE-2026-21654 CVE-2026-21656 CVE-2026-21657 CVE-2026-21658 CVE-2026-21659 CVE-2026-21660

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/31c8eef5-658f-4a96-8554-00375f60b64d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.