CVE-2026-21659 in Frick Controls Quantum HD
Summary
by MITRE • 02/27/2026
Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise. This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2026-21659 represents a critical security flaw in Johnson Controls Frick Controls Quantum HD devices, specifically impacting versions 10.22 and earlier. This vulnerability stems from a local file inclusion vulnerability that allows unauthenticated attackers to execute arbitrary code remotely, potentially leading to complete system compromise. The flaw exists within the device's web interface handling mechanisms, where insufficient input validation permits attackers to manipulate file inclusion parameters and gain unauthorized access to system resources. The vulnerability's classification aligns with CWE-98, which describes improper file inclusion vulnerabilities where user-controllable input is used to include files without proper validation. This type of vulnerability is particularly dangerous because it eliminates the need for authentication, making the attack surface significantly broader and more accessible to threat actors.
The technical exploitation of this vulnerability occurs through manipulation of file inclusion parameters within the device's web interface, allowing attackers to load and execute arbitrary files on the target system. The LFI mechanism enables an attacker to include local files that should not be accessible through the web interface, potentially leading to code execution with the privileges of the web server process. This can result in complete system compromise, where attackers gain full control over the device's operations, including access to sensitive configuration data, operational parameters, and potentially the ability to manipulate the building's environmental control systems. The vulnerability's impact is amplified by the fact that it affects the core operational functionality of the Quantum HD system, which is designed to manage critical building environmental controls and monitoring.
From an operational standpoint, the implications of this vulnerability extend beyond simple code execution to encompass complete system compromise and potential safety risks. The affected devices are typically deployed in critical infrastructure environments where building automation and environmental control systems are essential for maintaining operational continuity and safety standards. An attacker who successfully exploits this vulnerability could potentially disrupt HVAC operations, gain unauthorized access to building control systems, or use the compromised device as a foothold for further attacks within the network. The vulnerability affects the device's ability to maintain its intended security posture, potentially allowing attackers to modify system configurations, access sensitive operational data, or even cause physical harm through manipulation of environmental controls. This represents a significant risk to both operational continuity and physical safety in facilities that rely on these systems.
The mitigation strategy for this vulnerability requires immediate action including patching or upgrading to a version of the Frick Controls Quantum HD software that addresses the LFI vulnerability. Organizations should implement network segmentation to limit access to these devices and ensure that only authorized personnel can access the web interfaces. Additional protective measures include disabling unnecessary web services, implementing strict access controls, and monitoring network traffic for suspicious activity related to file inclusion attempts. Security controls should also include regular vulnerability assessments and penetration testing to identify similar weaknesses in the system architecture. According to ATT&CK framework, this vulnerability maps to techniques involving command and control communication and privilege escalation, as attackers may use the compromised system to establish persistent access or move laterally within the network. Organizations should also consider implementing intrusion detection systems that can identify patterns associated with LFI exploitation attempts and maintain detailed audit logs of all system access and modifications to detect potential compromise.