CVE-2026-21654 HIGH

CVE-2026-21654: Johnson Controls -Frick Quantum HD- Unauthenticated Remote Code Execution

Vendor Johnson Controls

Product Frick Controls Quantum HD

Weakness CWE-78

Published February 27, 2026

Last update March 6, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.

Key dates

02Disclosure timeline

February 27, 2026 CVE published

March 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-21654

Related vulnerabilities

Identifiers

CVE CVE-2026-21654

CWE CWE-78

CVSS 8.8 / HIGH

Affected versions