CVE-2026-21658
published 2026-02-27CVE-2026-21658: Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.63%
45.5th percentile
Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| johnson_controls | frick_controls_quantum_hd | — | — |
| johnsoncontrols | frick_controls_quantum_hd_firmware | <= 10.22 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Johnson Controls, Inc. Frick Controls Quantum HD
cisa_ics·2026-02-26·CVSS 9.8
[CRITICAL] Johnson Controls, Inc. Frick Controls Quantum HD
ICS Advisory
##
Johnson Controls, Inc. Frick Controls Quantum HD
Release DateFebruary 26, 2026
Alert CodeICSA-26-057-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities can lead to pre-authentication remote code execution, information leak or denial of service.
The following versions of Johnson Controls, Inc. Frick Controls Quantum HD are affected:
- Frick Controls Quantum HD <=10.22 (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.1
| Johnson Controls, Inc.
| Johnson Controls, Inc. Frick Controls Quantum HD
| Improper Neutralization of Special Elements used
GHSA
GHSA-9crv-fj8p-224j: Unauthenticated Remote Code Execution i
ghsa_unreviewed·2026-02-27
CVE-2026-21658 [HIGH] CWE-94 GHSA-9crv-fj8p-224j: Unauthenticated Remote Code Execution i
Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection.This issue affects Frick Controls Quantum HD version 10.22 and prior.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-27
Published