Description
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.
Published: 2026-02-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS Command Injection flaw allows an attacker to inject and execute arbitrary operating‑system commands on Johnson Controls Frick Controls Quantum HD before any authentication occurs. The vulnerability is categorized as CWE‑78 and can compromise the device’s integrity and confidentiality. The flaw arises from insufficient validation of certain input parameters.

Affected Systems

Johnson Controls Frick Controls Quantum HD versions 10.22 and older are affected. The product is identified by the vendor Johnson Controls and the model Frick Controls Quantum HD.

Risk and Exploitability

The CVSS base score of 8.8 denotes high severity. EPSS indicates a very low exploitation probability (<1%), and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote and unauthenticated, requiring the attacker to reach a vulnerable interface exposed to external traffic.

Generated by OpenCVE AI on April 18, 2026 at 10:17 UTC.

Remediation

Vendor Solution

a. Quantum HD version 10.22 through Version 11 is a previous product platform and is End Of support platform and should be upgraded to new platform with Quantum HD Unity version 12 and above. The update procedure can be found here:  https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

OpenCVE Recommended Actions

  • Upgrade the device to Quantum HD Unity version 12 or later following the vendor’s update procedure at https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
  • Restrict or block inbound traffic to the device’s exposed interfaces through firewall rules or network segmentation until the update is applied
  • Monitor device logs and set up alerts for anomalous command execution attempts to detect potential exploitation

Generated by OpenCVE AI on April 18, 2026 at 10:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols frick Controls Quantum Hd Firmware
CPEs cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*
cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*
Vendors & Products Johnsoncontrols frick Controls Quantum Hd Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd
Vendors & Products Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd

Fri, 27 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection.This issue affects Frick Controls Quantum HD version 10.22 and prior. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.

Fri, 27 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection.This issue affects Frick Controls Quantum HD version 10.22 and prior.
Title Johnson Controls -Frick Quantum HD- Unauthenticated Remote Code Execution
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Johnsoncontrols Frick Controls Quantum Hd Frick Controls Quantum Hd Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: jci

Published:

Updated: 2026-03-06T18:44:44.778Z

Reserved: 2026-01-02T13:23:28.169Z

Link: CVE-2026-21654

cve-icon Vulnrichment

Updated: 2026-03-06T18:44:38.830Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T09:16:16.223

Modified: 2026-03-02T18:25:01.993

Link: CVE-2026-21654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses