ICSA-26-057-01 · Published 2026-02-26 · View on CISA ICS-CERT ↗

Johnson Controls, Inc. Frick Controls Quantum HD

CVSS 9.1 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities can lead to pre-authentication remote code execution, information leak or denial of service.

CVE-2026-21654 CVE-2026-21656 CVE-2026-21657 CVE-2026-21658 CVE-2026-21659 CVE-2026-21660

The Frick Controls Quantum HD, versions 10.22 through 11, are legacy platforms that have reached end of support. Johnson Controls, Inc. recommends upgrading to the latest platform, Quantum HD Unity, version 12 or higher. The update procedure can be found here (https://frickcontrolsblob.file.core.windows.net/frickweb1/Quantum-HD-Unity/Quantum_HD_Unity_Software_Update_Procedure.pdf?sv=2018-03-28&si=frickweb1-174C1294FA7&sr=f&sig=us0dhk6IWmCvmDvBs02yJvC%2BjnzbxqZmb4QEpVVDkxY%3D).
After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2026-05 at https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories.

Johnson Controls, Inc.

Johnson Controls, Inc. · Frick Controls Quantum HD <=10.22

Food and Agriculture

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.