CVE-2026-21659

Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise. This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01	Third Party Advisory US Government Resource
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-27 10:16

Updated : 2026-03-02 18:23

NVD link : CVE-2026-21659

Mitre link : CVE-2026-21659

CVE.ORG link : CVE-2026-21659

JSON object : View

Products Affected

johnsoncontrols

frick_controls_quantum_hd
frick_controls_quantum_hd_firmware

CWE

CWE-23

Relative Path Traversal

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-21659", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "productsecurity@jci.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-27T10:16:22.373", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "productsecurity@jci.com"}, {"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories", "tags": ["Vendor Advisory"], "source": "productsecurity@jci.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "productsecurity@jci.com", "description": [{"lang": "en", "value": "CWE-23"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD\u00a0allow an unauthenticated attacker to\nexecute arbitrary code on the affected device, leading to full system compromise. \nThis issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior."}, {"lang": "es", "value": "Ejecuci\u00f3n remota de c\u00f3digo no autenticada y revelaci\u00f3n de informaci\u00f3n debido a una vulnerabilidad de inclusi\u00f3n local de ficheros (LFI) en Johnson Controls Frick Controls Quantum HD permiten a un atacante no autenticado ejecutar c\u00f3digo arbitrario en el dispositivo afectado, lo que lleva a un compromiso total del sistema. Este problema afecta a Frick Controls Quantum HD: Frick Controls Quantum HD versi\u00f3n 10.22 y anteriores."}], "lastModified": "2026-03-02T18:23:49.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:frick_controls_quantum_hd_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55477589-0B06-4570-B052-BAA9FC3D1F27", "versionEndIncluding": "10.22"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:frick_controls_quantum_hd:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E7C46C22-63A5-4B14-919A-09756664CBFE"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "productsecurity@jci.com"}