Cyber Resilience

CVE-2026-21659

High

Published: 27 February 2026

Published
27 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0091 55.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21659 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Johnsoncontrols Frick Controls Quantum Hd Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21659 is an unauthenticated remote code execution (RCE) and information disclosure vulnerability stemming from a local file inclusion (LFI) flaw, tracked under CWE-23 and CWE-22. It affects Johnson Controls Frick Controls Quantum HD devices, specifically version 10.22 and prior. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

An unauthenticated attacker can exploit this LFI vulnerability remotely over the network to execute arbitrary code on the affected device, resulting in full system compromise. This also enables information disclosure, allowing access to sensitive data on the target system.

Mitigation details are outlined in advisories from CISA (ICSA-26-057-01) and Johnson Controls' trust center cybersecurity security advisories, available at the respective reference URLs. Security practitioners should consult these for patching instructions and workarounds applicable to Frick Controls Quantum HD devices.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise. This issue…

more

affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Unauthenticated LFI in a network-accessible service on the device enables exploitation of public-facing application (T1190) for RCE and file and directory discovery (T1083) for information disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21656Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2026-21658Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2026-21657Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2026-21654Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2026-21660Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2025-14182Shared CWE-22
CVE-2026-33670Shared CWE-22
CVE-2026-40163Shared CWE-22
CVE-2025-29789Shared CWE-22, CWE-23
CVE-2025-27410Shared CWE-22, CWE-23

Affected Assets

johnsoncontrols
frick controls quantum hd firmware
≤ 10.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents LFI exploitation by requiring validation of inputs to block malicious file path traversals that enable unauthenticated RCE.

prevent

SI-2 ensures timely flaw remediation through patching the specific LFI vulnerability in Frick Controls Quantum HD version 10.22 and prior.

prevent

SC-7 implements boundary protection to restrict network access to the device, preventing remote unauthenticated exploitation of the LFI vulnerability.

References