Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.
Published: 2026-02-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper control of code generation (CWE‑94) that allows code injection before authentication. Insufficient validation of certain input parameters can cause the device to execute unintended or malicious code. If exploited, an attacker could gain persistent control over the Frick Controls Quantum HD appliance, impacting confidentiality, integrity, and availability of the device's operations. The flaw exists in the original pre‑support platform and poses a high‑severity threat.

Affected Systems

Johnson Controls Frick Controls Quantum HD systems running version 10.22 or earlier are affected. The product is part of the older platform that is no longer supported. Upgrading to the Quantum HD Unity platform, version 12 or later, removes this vulnerability.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, though the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability can be triggered via unauthenticated remote inputs, potentially allowing an attacker to send crafted requests over the network before any authentication is required. The vulnerability is not listed in the CISA KEV catalog, but its pre‑authentication nature and remote code execution potential still demand rapid remediation.

Generated by OpenCVE AI on April 16, 2026 at 15:28 UTC.

Remediation

Vendor Solution

a. Quantum HD version 10.22 through Version 11 is a previous product platform and is End Of support platform and should be upgraded to new platform with Quantum HD Unity version 12 and above. The update procedure can be found here:  https://frickcontrolsblob.file.core.windows.net/frickweb1/Quantum-HD-Unity/Quantum_HD_Unity_Software... https://frickcontrolsblob.file.core.windows.net/frickweb1/Quantum-HD-Unity/Quantum_HD_Unity_Software_Update_Procedure.pdf b. After the upgrade to version 12 is completed, ensure full alignment with hardening guide and apply all relevant security configurations. d. For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2026-05 at the following location

OpenCVE Recommended Actions

  • Upgrade the device to Quantum HD Unity version 12 or newer following the official update procedure documented by Johnson Controls.
  • After upgrading, ensure full alignment with the provided hardening guide and apply all recommended security configurations to the firmware.
  • Restrict external network access to the device by implementing firewall rules or network segmentation, limiting connections to only trusted administrative networks.

Generated by OpenCVE AI on April 16, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols frick Controls Quantum Hd Firmware
CPEs cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*
cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*
Vendors & Products Johnsoncontrols frick Controls Quantum Hd Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd
Vendors & Products Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.
Title Johnson Controls -Frick Quantum HD- Unauthenticated Remote Code Execution
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Johnsoncontrols Frick Controls Quantum Hd Frick Controls Quantum Hd Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: jci

Published:

Updated: 2026-03-06T18:42:45.757Z

Reserved: 2026-01-02T13:23:28.169Z

Link: CVE-2026-21656

cve-icon Vulnrichment

Updated: 2026-03-06T18:42:26.377Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T09:16:16.417

Modified: 2026-03-02T18:24:51.433

Link: CVE-2026-21656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses