CVE-2026-21659
published 2026-02-27CVE-2026-21659: Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.91%
55.5th percentile
Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to
execute arbitrary code on the affected device, leading to full system compromise.
This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| johnson_controls | frick_controls_quantum_hd | — | — |
| johnsoncontrols | frick_controls_quantum_hd_firmware | <= 10.22 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Johnson Controls, Inc. Frick Controls Quantum HD
cisa_ics·2026-02-26·CVSS 9.8
[CRITICAL] Johnson Controls, Inc. Frick Controls Quantum HD
ICS Advisory
##
Johnson Controls, Inc. Frick Controls Quantum HD
Release DateFebruary 26, 2026
Alert CodeICSA-26-057-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities can lead to pre-authentication remote code execution, information leak or denial of service.
The following versions of Johnson Controls, Inc. Frick Controls Quantum HD are affected:
- Frick Controls Quantum HD <=10.22 (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.1
| Johnson Controls, Inc.
| Johnson Controls, Inc. Frick Controls Quantum HD
| Improper Neutralization of Special Elements used
GHSA
GHSA-7qxc-43wm-v793: Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Qu
ghsa_unreviewed·2026-02-27
CVE-2026-21659 [HIGH] CWE-22 GHSA-7qxc-43wm-v793: Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Qu
Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to
execute arbitrary code on the affected device, leading to full system compromise.
This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-27
Published