Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Frick Controls Quantum HD: Unauthenticated Attackers Can Run Malicious Code
CVE-2026-21659
Summary
The Frick Controls Quantum HD version 10.22 and earlier allows an attacker to run malicious code on the device without needing a password. This is a serious issue as it can lead to the entire system being taken over. Immediate action is required to update to the latest version of the software.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| johnsoncontrols | frick_controls_quantum_hd_firmware | <= 10.22 | – |
Original title
Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to
e...
Original description
Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to
execute arbitrary code on the affected device, leading to full system compromise.
This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.
execute arbitrary code on the affected device, leading to full system compromise.
This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.
nvd CVSS3.1
9.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-23
CWE-22
Path Traversal
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01 Third Party Advisory US Government Resource
- https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories Vendor Advisory
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026