Description
Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise
This issue affects Frick Controls Quantum HD version 10.22 and prior.
Published: 2026-02-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access due to plaintext credential storage
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from hardcoded email credentials being stored in plaintext within the firmware of Frick Controls Quantum HD. This flaw, classified as plaintext storage of a password, allows an attacker to discover valid credentials that can be used to log in, access sensitive information, and potentially compromise the system. The damage potential includes unauthorized access, data exposure, and loss of system integrity derived strictly from the provided description.

Affected Systems

Frick Controls Quantum HD models running firmware version 10.22 or earlier are affected. The vendor product is Johnson Controls:Frick Controls Quantum HD. No further sub‑versions are listed; all releases at or below 10.22 should be considered vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires the attacker to obtain or analyze the firmware, implying local or supply‑chain access. With the exposed credentials, an attacker could authenticate to the device and perform unauthorized actions if no additional safeguards are in place.

Generated by OpenCVE AI on April 17, 2026 at 14:01 UTC.

Remediation

Vendor Solution

a. Quantum HD version 10.22 through Version 11 is a previous product platform and is End Of support platform and should be upgraded to new platform with Quantum HD Unity version 12 and above. The update procedure can be found here: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

OpenCVE Recommended Actions

  • Restore the device to a supported firmware platform by upgrading to Quantum HD Unity version 12 or newer, following the vendor’s update procedure documented at the Johnson Controls website
  • Ensure that all deployed units are running the patched firmware and eliminate any legacy firmware (v10.22 or earlier) from the inventory
  • If an immediate upgrade is not feasible, document the credential exposure and implement network segmentation or firewall rules to limit external access to the device until the firmware is updated

Generated by OpenCVE AI on April 17, 2026 at 14:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols frick Controls Quantum Hd Firmware
Weaknesses CWE-522
CPEs cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*
cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*
Vendors & Products Johnsoncontrols frick Controls Quantum Hd Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd
Vendors & Products Johnsoncontrols
Johnsoncontrols frick Controls Quantum Hd

Fri, 27 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue affects Frick Controls Quantum HD version 10.22 and prior.
Title Johnson Controls-Frick Quantum HD-Hardcoded Email Credentials Saved as Plaintext in Firmware
Weaknesses CWE-256
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Johnsoncontrols Frick Controls Quantum Hd Frick Controls Quantum Hd Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: jci

Published:

Updated: 2026-02-27T16:17:45.915Z

Reserved: 2026-01-02T13:23:28.169Z

Link: CVE-2026-21660

cve-icon Vulnrichment

Updated: 2026-02-27T16:17:39.631Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T10:16:22.563

Modified: 2026-03-02T18:23:05.353

Link: CVE-2026-21660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses