Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.
Published: 2026-02-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Improper input validation in certain parameters permits code injection before authentication, allowing an attacker to execute arbitrary code on the device. The vulnerability falls under CWE-94 and can compromise confidentiality, integrity, and availability by enabling malicious commands to run on the control system.

Affected Systems

Johnson Controls Frick Controls Quantum HD devices running version 10.22 or earlier, all of which are supported on the older platform and must be upgraded to the Quantum HD Unity 12 platform or later.

Risk and Exploitability

The vulnerability has a severity score of 8.8, placing it in the high severity range. The low exploitation probability indicates that it is unlikely to be widely used, yet it is not yet listed in the CISA KEV catalog. Because code execution can occur before authentication, any device still running the older, unsupported firmware is at significant risk, especially if exposed to external networks.

Generated by OpenCVE AI on April 18, 2026 at 10:17 UTC.

Remediation

Vendor Solution

a. Quantum HD version 10.22 through Version 11 is a previous product platform and is End Of support platform and should be upgraded to new platform with Quantum HD Unity version 12 and above.  The update procedure can be found here:  https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

OpenCVE Recommended Actions

  • Upgrade the device firmware to Quantum HD Unity version 12 or later using the official update procedure found at https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
  • Disable any external interfaces that allow remote access until the firmware has been upgraded, reducing the attack surface
  • Reboot the device to apply changes, then monitor system logs for suspicious activity

Generated by OpenCVE AI on April 18, 2026 at 10:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols frick Controls Quantum Hd Firmware
CPEs cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*
cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*
Vendors & Products Johnsoncontrols frick Controls Quantum Hd Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd
Vendors & Products Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.
Title Johnson Controls -Frick Quantum HD- Unauthenticated Remote Code Execution
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Johnsoncontrols Frick Controls Quantum Hd Frick Controls Quantum Hd Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: jci

Published:

Updated: 2026-03-06T18:41:29.078Z

Reserved: 2026-01-02T13:23:28.169Z

Link: CVE-2026-21657

cve-icon Vulnrichment

Updated: 2026-03-06T18:41:23.344Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T09:16:16.600

Modified: 2026-06-17T10:18:52.403

Link: CVE-2026-21657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')