Multiple Vulnerabilities Reported in Johnson Controls Frick Quantum HD Systems
Take action: If you are running legacy Frick Controls Quantum HD systems, make sure they are isolated from the internet and accessible only from trusted networks. Then plan an upgrade to the Unity version 12 platform because your current version is no longer supported.
Learn More
Johnson Controls released a security advisory about six vulnerabilities in the Frick Controls Quantum HD industrial control system. These flaws affect legacy versions of the platform used globally in the food and agriculture sectors.
Vulnerabilities summary:
- CVE-2026-21654 (CVSS score 9.1) - An OS command injection vulnerability where the system fails to neutralize special elements in input parameters. Attackers can use this to run operating system commands before authentication, gaining high-level control over the device.
- CVE-2026-21656 (CVSS score 9.1) - A code injection flaw caused by improper control of code generation. By sending malicious input, an unauthenticated user can inject and execute arbitrary code within the application's context.
- CVE-2026-21657 (CVSS score 9.1) - A code injection vulnerability involving insufficient input validation. This allows remote attackers to manipulate the device's logic and execute unauthorized instructions without needing credentials.
- CVE-2026-21658 (CVSS score 9.1) - A code injection instance that permits unexpected actions through unvalidated parameters. This flaw enables attackers to compromise the integrity and availability of the control system remotely.
- CVE-2026-21659 (CVSS score 7.5) - A relative path traversal vulnerability that lets unauthenticated attackers access files outside the intended directory. This can lead to the disclosure of sensitive system files and configuration data.
- CVE-2026-21660 (CVSS score 6.2) - A vulnerability involving plaintext storage of passwords and hardcoded credentials. This allows local attackers to gain unauthorized access and expose sensitive information by retrieving stored secrets.
Attackers can achieve remote code execution (RCE), trigger a denial-of-service (DoS) state, or leak sensitive operational data. In the food and agriculture industry, such a compromise could disrupt production lines, spoil inventory, or allow for the manipulation of industrial cooling and processing parameters.
The vulnerabilities affect all versions of Johnson Controls Frick Controls Quantum HD up to and including version 10.22.
Versions 10.22 through 11 are now considered legacy platforms, they have reached end-of-support status and will not receive direct security patches for these specific flaws. This leaves older installations permanently vulnerable unless they are migrated to newer hardware or software platforms.
Johnson Controls recommends that users migrate to the Quantum HD Unity platform, specifically version 12 or higher, which is the current supported release. Until upgrades are complete, organizations must isolate control networks from the internet and use secure VPNs for any required remote access.
