CVE-2026-21659
CRITICAL WAF: High
CVSS 9.8
Published: 2026-02-27
CWE-22
Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise. This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| johnsoncontrols | frick_controls_quantum_hd_firmware | up to 10.22 |
References
- www.cisa.gov (Third Party Advisory, US Government Resource)
- www.johnsoncontrols.com (Vendor Advisory)