Description
Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.
Published: 2026-02-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Remote Code Execution
Action: Upgrade
AI Analysis

Impact

The vulnerability allows an attacker to inject and execute arbitrary code on the device, due to insufficient validation of user input in certain parameters. This improper control over code generation can cause unauthorized actions before authentication is established, effectively giving the attacker full control of the device.

Affected Systems

Johnson Controls Frick Controls Quantum HD devices running firmware version 10.22 and all earlier releases are impacted. The vendor has classified the 10.22 through 11 platform as End Of Support and recommends moving to the Quantum HD Unity version 12 or later.

Risk and Exploitability

The CVSS score of 8.8 denotes a high severity exploitability, while an EPSS score of less than 1% suggests a low probability of current exploitation. The flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be a network‑based remote attack, given that the vulnerability can be triggered without any authentication. If exploited, an attacker could gain complete control of the device, compromising its confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 17, 2026 at 14:01 UTC.

Remediation

Vendor Solution

a. Quantum HD version 10.22 through Version 11 is a previous product platform and is End Of support platform and should be upgraded to new platform with Quantum HD Unity version 12 and above. The update procedure can be found here: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

OpenCVE Recommended Actions

  • Upgrade the device to Quantum HD Unity version 12 or higher as directed by Johnson Controls.
  • Update or patch the firmware to the latest vendor release of the Quantum HD Unity platform if available.
  • Apply network segmentation or firewall rules to restrict external access to the device’s management interfaces, limiting the ability of unauthenticated actors to reach vulnerable code paths.

Generated by OpenCVE AI on April 17, 2026 at 14:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols frick Controls Quantum Hd Firmware
CPEs cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*
cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*
Vendors & Products Johnsoncontrols frick Controls Quantum Hd Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd
Vendors & Products Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd

Fri, 27 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection.This issue affects Frick Controls Quantum HD version 10.22 and prior. Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection.This issue affects Frick Controls Quantum HD version 10.22 and prior.
Title Johnson Controls -Frick Quantum HD- Unauthenticated Remote Code Execution
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Johnsoncontrols Frick Controls Quantum Hd Frick Controls Quantum Hd Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: jci

Published:

Updated: 2026-02-27T13:07:55.620Z

Reserved: 2026-01-02T13:23:28.169Z

Link: CVE-2026-21658

cve-icon Vulnrichment

Updated: 2026-02-27T13:07:50.326Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T09:16:16.773

Modified: 2026-03-02T18:24:25.517

Link: CVE-2026-21658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses