DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21654: CVE-2026-21654: Pre-Authentication Remote Code Execution in Johnson Controls Frick Quantum HD

#security #cve #cybersecurity

CVE-2026-21654: Pre-Authentication Remote Code Execution in Johnson Controls Frick Quantum HD

Vulnerability ID: CVE-2026-21654
CVSS Score: 9.1
Published: 2026-02-27

A critical OS Command Injection vulnerability exists in Johnson Controls Frick Controls Quantum HD panels (versions 10.22 and prior), allowing unauthenticated remote attackers to execute arbitrary code with root privileges. This flaw poses severe risks to industrial refrigeration processes and safety systems.

TL;DR

CVE-2026-21654 is a critical (CVSS 9.1) unauthenticated RCE vulnerability in Johnson Controls Frick Quantum HD industrial controllers. It allows attackers to inject OS commands via network requests, potentially disrupting physical refrigeration processes. The vendor has declared the affected versions End of Support (EoS) and advises upgrading to the Quantum HD Unity platform.

Technical Details

  • CVE ID: CVE-2026-21654
  • CWE ID: CWE-78 (OS Command Injection)
  • CVSS v3.1: 9.1 (Critical)
  • Attack Vector: Network (Pre-Auth)
  • Impact: Remote Code Execution / Full System Compromise
  • Vendor Status: End of Support (No Patch Available)
  • Remediation: Upgrade to Unity v12 Platform

Affected Systems

  • Johnson Controls Frick Controls Quantum HD (Compressor Panel)
  • Industrial Refrigeration Control Systems
  • Food and Beverage Processing Infrastructure
  • Cold Storage Management Systems
  • Frick Controls Quantum HD: <= 10.22 (Fixed in: Quantum HD Unity v12 (Upgrade))

Mitigation Strategies

  • Upgrade to Quantum HD Unity platform
  • Network Segmentation
  • VPN for Remote Access
  • Disable Internet Exposure

Remediation Steps:

  1. Audit all Frick Quantum HD devices to identify versions 10.22 and prior.
  2. Isolate affected devices immediately from the internet and business networks.
  3. Implement strict firewall rules allowing access only from trusted management subnets.
  4. Plan and execute an upgrade to Quantum HD Unity version 12 or higher.
  5. Verify the new installation against the Johnson Controls Hardening Guide.

References

Read the full report for CVE-2026-21654 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)