Description
Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to
execute arbitrary code on the affected device, leading to full system compromise.
This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.
Published: 2026-02-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Upgrade
AI Analysis

Impact

A local file inclusion weakness in Johnson Controls Frick Controls Quantum HD allows an unauthenticated attacker to read or execute files on the device. The flaw is a classic path traversal (CWE‑22) and generic local file inclusion (CWE‑23) that can be leveraged to run arbitrary code and exfiltrate sensitive information, ultimately leading to complete compromise of the affected system's confidentiality, integrity, and availability.

Affected Systems

Devices running Johnson Controls Frick Controls Quantum HD firmware version 10.22 and earlier are vulnerable. The issue is present on the older Quantum HD platform; moving to the newer Quantum HD Unity platform version 12 or later eliminates the vulnerability.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, but the EPSS score of less than 1 % shows a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. It can be exploited remotely via network interfaces exposed by the device and does not require authentication. The combination of critical impact and low exploitation likelihood still warrants prompt action.

Generated by OpenCVE AI on April 18, 2026 at 10:16 UTC.

Remediation

Vendor Solution

a. Quantum HD version 10.22 through Version 11 is a previous product platform and is End Of support platform and should be upgraded to new platform with Quantum HD Unity version 12 and above. The update procedure can be found here: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

OpenCVE Recommended Actions

  • Upgrade to Quantum HD Unity version 12 or higher following Johnson Controls' update procedure (see https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories)
  • Discontinue use of Quantum HD firmware version 10.22 or earlier so that no device remains on the vulnerable platform
  • If an upgrade cannot be performed immediately, enforce strict network segmentation or firewall rules to block unauthenticated access to the device until the upgrade is completed

Generated by OpenCVE AI on April 18, 2026 at 10:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols frick Controls Quantum Hd Firmware
Weaknesses CWE-22
CPEs cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*
cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*
Vendors & Products Johnsoncontrols frick Controls Quantum Hd Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd
Vendors & Products Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd

Fri, 27 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22 CWE-23

Fri, 27 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise. This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.
Title Johnson Controls -Frick Quantum HD-Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Johnsoncontrols Frick Controls Quantum Hd Frick Controls Quantum Hd Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: jci

Published:

Updated: 2026-03-06T18:40:42.670Z

Reserved: 2026-01-02T13:23:28.169Z

Link: CVE-2026-21659

cve-icon Vulnrichment

Updated: 2026-03-06T18:40:37.387Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T10:16:22.373

Modified: 2026-03-02T18:23:49.030

Link: CVE-2026-21659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses