CVE-2026-21660
published 2026-02-27CVE-2026-21660: Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.23%
13.7th percentile
Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise
This issue affects Frick Controls Quantum HD version 10.22 and prior.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| johnson_controls | frick_controls_quantum_hd | — | — |
| johnsoncontrols | frick_controls_quantum_hd_firmware | <= 10.22 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Johnson Controls, Inc. Frick Controls Quantum HD
cisa_ics·2026-02-26·CVSS 9.8
[CRITICAL] Johnson Controls, Inc. Frick Controls Quantum HD
ICS Advisory
##
Johnson Controls, Inc. Frick Controls Quantum HD
Release DateFebruary 26, 2026
Alert CodeICSA-26-057-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities can lead to pre-authentication remote code execution, information leak or denial of service.
The following versions of Johnson Controls, Inc. Frick Controls Quantum HD are affected:
- Frick Controls Quantum HD <=10.22 (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.1
| Johnson Controls, Inc.
| Johnson Controls, Inc. Frick Controls Quantum HD
| Improper Neutralization of Special Elements used
GHSA
GHSA-2f5g-m75x-xphf: Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD versi
ghsa_unreviewed·2026-02-27
CVE-2026-21660 [MEDIUM] CWE-256 GHSA-2f5g-m75x-xphf: Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD versi
Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise
This issue affects Frick Controls Quantum HD version 10.22 and prior.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-27
Published