Johnson Controls has disclosed a cluster of six vulnerabilities, spanning Critical to Medium severity, affecting the Frick Controls Quantum HD industrial refrigeration controller running firmware version 10.22 and earlier. The most severe, CVE-2026-21654 with a CVSS v3.1 score of 9.1, is a pre-authentication OS command injection flaw that allows a remote, unauthenticated attacker to execute arbitrary operating system commands on the device over the network with no user interaction required. Accompanying CVEs -- CVE-2026-21656, CVE-2026-21657, and CVE-2026-21658, each also rated 9.1 -- introduce additional pre-authentication code injection paths, while CVE-2026-21659 (CVSS 7.5) enables arbitrary code execution via a relative path traversal weakness, and CVE-2026-21660 (CVSS 6.2) exposes hardcoded credentials enabling unauthorized access. The vulnerabilities were discovered by Noam Moshe of Claroty Research Team 82, disclosed through CISA ICS Advisory ICSA-26-057-01 on February 27, 2026, and remediated in Quantum HD Unity firmware version 12 and later.
The command injection and code injection vulnerabilities share a common root cause: insufficient validation of attacker-controlled input in the device's network-facing interface before authentication is performed. Because the flaws are pre-authentication, the Quantum HD's interface need only be reachable on the network for an attacker to achieve operating system-level code execution on the controller -- no credentials, no prior access, and no operator action are required. The hardcoded credential vulnerability, CVE-2026-21660, compounds this risk by providing a second, credential-based path to unauthorized access that persists regardless of password policy and cannot be eliminated through standard administrative controls. Together, these vulnerabilities present an attacker with multiple independent and highly reliable paths to full device compromise.
The Frick Controls Quantum HD is deployed in industrial refrigeration systems across cold storage, food processing, pharmaceutical manufacturing, and other sectors where precise temperature control is a safety and regulatory requirement. Exploitation could allow an attacker to take direct, unauthenticated control of refrigeration compressors and ancillary equipment, potentially causing product loss, equipment damage, process safety hazards, and extended operational downtime. Organizations running affected firmware versions should treat this advisory with the highest urgency: upgrade to Quantum HD Unity version 12 immediately, and apply compensating network controls until that upgrade can be completed.
CVE-2026-21654, with a CVSS v3.1 score of 9.1, is an OS command injection vulnerability (CWE-78) in the Johnson Controls Frick Controls Quantum HD arising from insufficient validation of attacker-supplied input in certain network-accessible parameters before authentication is enforced. An unauthenticated remote attacker with network access to the device's interface can inject arbitrary operating system commands executed with the privilege level of the underlying process -- likely a root-equivalent embedded system account -- without needing any valid credentials. Successful exploitation gives the attacker full command execution on the controller's operating system, enabling arbitrary reads and writes to the device filesystem, manipulation of refrigeration control parameters, installation of persistent backdoors, and use of the device as a pivot point for lateral movement into the broader OT or IT network. All Quantum HD firmware versions through 10.22 are confirmed affected; the remediation is an upgrade to Quantum HD Unity version 12 or higher.
CVE-2026-21656, CVE-2026-21657, and CVE-2026-21658, each carrying a CVSS v3.1 score of 9.1, are distinct code injection vulnerabilities (CWE-94) in the same Frick Controls Quantum HD platform, arising from improper input validation in different network-facing parameters and similarly exploitable pre-authentication. The exploitation outcome and prerequisites are identical to CVE-2026-21654: network reachability is the only requirement to achieve code execution on the controller. The presence of four independent critical injection paths means no single input-validation fix would close all exposure; only the firmware upgrade to version 12 eliminates all four vectors simultaneously.
CVE-2026-21659, with a CVSS v3.1 score of 7.5, is a relative path traversal vulnerability (CWE-23) in the Quantum HD that enables an unauthenticated remote attacker to access files or execute code outside the intended directory scope of the device's web application. While rated lower than the injection flaws, this vulnerability provides an additional pre-authentication code execution path that can be exploited independently or chained with the injection vulnerabilities for more sophisticated attack sequences.
CVE-2026-21660, with a CVSS v3.1 score of 6.2, is a hardcoded credential vulnerability (CWE-798) that enables unauthorized access using credentials embedded in the firmware. Because hardcoded credentials cannot be rotated through standard administrative procedures, all devices running affected firmware carry this exposure for the lifetime of the unpatched installation. An attacker who has obtained these credentials through firmware reverse engineering or prior disclosure can authenticate to any affected Quantum HD without alerting operators, providing a persistent authenticated access path that survives even if the injection vulnerabilities are individually addressed through input filtering or WAF controls.
Organizations operating Johnson Controls Frick Controls Quantum HD controllers at firmware version 10.22 or earlier face an immediate critical risk of full, unauthenticated remote compromise of their industrial refrigeration control systems. A successful exploitation of the command injection or code injection vulnerabilities would give an attacker arbitrary code execution on the controller, enabling direct manipulation of compressor setpoints, safety limits, and operating parameters -- with potential consequences including compressor damage, uncontrolled refrigerant release, product spoilage in temperature-controlled storage facilities, and loss of process safety in pharmaceutical or food manufacturing environments. Because the attack requires no credentials and no user interaction, and because the Quantum HD is often reachable from engineering workstations, business networks, or in misconfigured environments the internet, the attack surface is broad and the barrier to exploitation is exceptionally low. The hardcoded credential flaw additionally means that network isolation alone is insufficient if those credentials have been previously exposed through firmware analysis or other means.
From a regulatory and compliance perspective, exploitation of these vulnerabilities in regulated industries carries significant consequences. Pharmaceutical manufacturers operating under FDA 21 CFR Part 11 and GMP requirements, food processors subject to FDA FSMA, and cold chain operators under industry standards face potential product integrity failures, mandatory reporting obligations, and regulatory action if temperature excursions caused by a cyberattack result in contaminated or compromised product. Organizations subject to NERC CIP, IEC 62443, or sector-specific OT security standards will face heightened scrutiny if critical-severity vulnerabilities in network-accessible control devices remain unpatched when a vendor-supplied remediation has been available since February 2026. Auditors and regulators will expect documented evidence of either timely patching or formally risk-accepted compensating controls applied from the date of disclosure.
To mitigate the risks associated with CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, and CVE-2026-21660, organizations should consider the following actions:
1. Upgrade all affected Frick Controls Quantum HD controllers from firmware version 10.22 or earlier to Quantum HD Unity version 12 or higher using Johnson Controls' official update procedure, and verify full compliance with the vendor-supplied hardening guide after the upgrade is complete.
2. Immediately restrict network exposure of all Quantum HD controllers by isolating them on dedicated OT network segments behind industrial firewalls, ensuring the device's web interface and any other network-facing services are not reachable from corporate IT networks, remote access infrastructure, or the internet.
3. Require all remote access to Quantum HD controllers to traverse a VPN with strong multi-factor authentication, and prohibit direct remote access to the device's interface from outside the secure OT perimeter until the firmware upgrade has been applied and validated.
4. Audit all Quantum HD controller installations to identify any devices that are directly internet-reachable or accessible from networks outside the OT perimeter, prioritize their immediate network isolation, and log all access attempts to the device interface for the duration of the unpatched window.
5. Deploy OT network monitoring tools capable of detecting anomalous HTTP traffic, unexpected command execution patterns, or new outbound connections originating from Quantum HD controller IP addresses, and configure alerting for any network activity that deviates from the documented operational baseline.
6. After upgrading to Quantum HD Unity version 12, apply all security configurations recommended in the Johnson Controls hardening guide and conduct a post-upgrade validation to confirm that hardcoded credentials and injection-vulnerable parameters have been fully remediated in the deployed configuration.
By taking these steps, organizations can eliminate the direct vulnerability exposure through patching and substantially reduce the exploitability of any remaining risk through network isolation and active monitoring until patching is complete.
1898 & Co. is actively monitoring this disclosure and engaging with clients operating Johnson Controls Frick Controls Quantum HD systems to assess their firmware versions, evaluate network exposure, and develop prioritized upgrade and compensating control plans. Our OT and ICS security specialists are experienced with industrial refrigeration control infrastructure and can conduct rapid assessments to determine whether affected controllers are reachable from IT networks or the internet -- the highest-risk configurations for these vulnerabilities. Where the Quantum HD Unity version 12 upgrade cannot be applied immediately due to operational or maintenance scheduling constraints, 1898 & Co. will implement interim network isolation and monitoring controls to reduce exploitability during the unpatched window.
1898 & Co. works closely with CISA, ICS-CERT, and security research organizations including Claroty, whose Team 82 discovered these vulnerabilities, to receive timely intelligence on critical ICS disclosures affecting our clients' operational environments. This research and intelligence posture allows our team to respond immediately when critical vulnerabilities affecting industrial control systems are published and to provide clients with specific, actionable guidance calibrated to their deployment environments within hours of a major disclosure.
Our team has deep experience remediating command injection and code execution vulnerabilities across a wide range of industrial control system platforms, including refrigeration, HVAC, and building automation controllers. Clients operating affected Quantum HD systems are encouraged to engage 1898 & Co. immediately for an emergency exposure assessment and upgrade planning support, ensuring that these critical vulnerabilities are closed before they can be leveraged for operational disruption or broader OT network compromise.
1. CISA ICS Advisory ICSA-26-057-01 -- Johnson Controls Frick Controls Quantum HD
2. Johnson Controls Product Security Advisory