Executive Summary
In February 2026, multiple critical vulnerabilities were identified in Johnson Controls' Frick Controls Quantum HD systems, versions 10.22 and prior. These vulnerabilities include unauthenticated remote code execution, code injection, and plaintext storage of passwords, potentially allowing attackers to execute arbitrary code, access sensitive information, and compromise system integrity. The affected systems are widely deployed in critical infrastructure sectors, including food and agriculture, posing significant security risks. (nvd.nist.gov)
The discovery of these vulnerabilities underscores the ongoing challenges in securing industrial control systems (ICS) against sophisticated cyber threats. Organizations utilizing these systems must prioritize timely updates and adhere to recommended security practices to mitigate potential exploitation and safeguard critical operations.
Why This Matters Now
The identification of these critical vulnerabilities highlights the urgent need for organizations to assess and secure their industrial control systems. With the increasing frequency of cyberattacks targeting critical infrastructure, it is imperative to implement robust security measures and stay vigilant against emerging threats.
Attack Path Analysis
An attacker exploited unauthenticated code injection vulnerabilities in the Frick Controls Quantum HD system to gain initial access. They then leveraged hardcoded credentials stored in plaintext to escalate privileges. Using the compromised system, the attacker moved laterally within the network to access other critical systems. They established a command and control channel to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. Finally, the attacker executed commands that disrupted system operations, leading to significant impact.
Kill Chain Progression
Initial Compromise
Description
Exploited unauthenticated code injection vulnerabilities in the Frick Controls Quantum HD system to gain initial access.
Related CVEs
CVE-2026-21654
CVSS 8.8Insufficient input validation in Johnson Controls Frick Controls Quantum HD allows pre-authentication remote code execution.
Affected Products:
Johnson Controls, Inc. Frick Controls Quantum HD – <=10.22
Exploit Status:
no public exploitCVE-2026-21656
CVSS 8.8Improper control of code generation in Johnson Controls Frick Controls Quantum HD allows pre-authentication code injection.
Affected Products:
Johnson Controls, Inc. Frick Controls Quantum HD – <=10.22
Exploit Status:
no public exploitCVE-2026-21657
CVSS 8.8Insufficient input validation in Johnson Controls Frick Controls Quantum HD allows pre-authentication remote code execution.
Affected Products:
Johnson Controls, Inc. Frick Controls Quantum HD – <=10.22
Exploit Status:
no public exploitCVE-2026-21658
CVSS 8.8Improper control of code generation in Johnson Controls Frick Controls Quantum HD allows pre-authentication code injection.
Affected Products:
Johnson Controls, Inc. Frick Controls Quantum HD – <=10.22
Exploit Status:
no public exploitCVE-2026-21659
CVSS 8.7Local file inclusion vulnerability in Johnson Controls Frick Controls Quantum HD allows unauthenticated remote code execution.
Affected Products:
Johnson Controls, Inc. Frick Controls Quantum HD – <=10.22
Exploit Status:
no public exploitCVE-2026-21660
CVSS 6.9Hardcoded email credentials stored in plaintext in Johnson Controls Frick Controls Quantum HD firmware lead to unauthorized access.
Affected Products:
Johnson Controls, Inc. Frick Controls Quantum HD – <=10.22
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
Command and Scripting Interpreter
Valid Accounts
OS Credential Dumping
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Flaw Remediation
Control ID: SI-2
PCI DSS 4.0 – System and Software Security
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: P1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Food Production
Critical infrastructure vulnerability in industrial refrigeration controls threatens food safety, supply chain integrity, and regulatory compliance through remote code execution attacks.
Food/Beverages
Johnson Controls Frick systems widely used in beverage processing face pre-authentication exploits enabling operational disruption and contamination risks through compromised refrigeration controls.
Dairy
Dairy operations heavily dependent on refrigeration systems vulnerable to critical CVEs allowing attackers to manipulate temperature controls and compromise product safety standards.
Warehousing
Cold storage warehouses using affected Quantum HD systems exposed to remote attacks that could compromise stored goods through temperature manipulation and system takeover.
Sources
- Johnson Controls, Inc. Frick Controls Quantum HDhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01Verified
- Johnson Controls Product Security Advisory JCI-PSA-2026-05https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisoriesVerified
- NVD Entry for CVE-2026-21659https://nvd.nist.gov/vuln/detail/CVE-2026-21659Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial exploitation, it could limit the attacker's ability to leverage compromised systems for further malicious activities.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could limit the attacker's ability to escalate privileges by enforcing strict access controls and minimizing trust relationships.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could constrain the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could detect and disrupt unauthorized command and control channels by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could limit data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix CNSF may not prevent all disruptive actions, it could limit the scope of impact by containing the attacker's activities within segmented network zones.
Impact at a Glance
Affected Business Functions
- Industrial Refrigeration Control Systems
- Food and Agriculture Processing
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of operational control data and system configurations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
- • Utilize Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Regularly update and patch systems to mitigate known vulnerabilities.
