CVE-2026-21654

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-21654
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01 Third Party Advisory US Government Resource
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*
History

02 Mar 2026, 18:25

Type Values Removed Values Added
First Time Johnsoncontrols frick Controls Quantum Hd
Johnsoncontrols frick Controls Quantum Hd Firmware
Johnsoncontrols
CPE cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*
cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*
References () https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01 - () https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01 - Third Party Advisory, US Government Resource
References () https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories - () https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories - Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

27 Feb 2026, 10:16

Type Values Removed Values Added
Summary (en) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection.This issue affects Frick Controls Quantum HD version 10.22 and prior. (en) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.

27 Feb 2026, 09:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-27 09:16

Updated : 2026-03-02 18:25

NVD link : CVE-2026-21654

Mitre link : CVE-2026-21654

CVE.ORG link : CVE-2026-21654

JSON object : View

Products Affected

johnsoncontrols

  • frick_controls_quantum_hd
  • frick_controls_quantum_hd_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')