CVE-2026-21660

Critical

Published: 27 February 2026

Published

27 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21660 is a critical-severity Plaintext Storage of a Password (CWE-256) vulnerability in Johnsoncontrols Frick Controls Quantum Hd Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Threat & Defense at a Glance

What attackers do: exploitation maps to Credentials In Files (T1552.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 requires protecting authenticators from unauthorized disclosure, directly addressing plaintext storage of hardcoded email credentials in firmware.

SC-28 Protection of Information at Rest good match

prevent

SC-28 mandates protection of sensitive information at rest, preventing exposure of plaintext credentials embedded in firmware.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like hardcoded plaintext credentials in firmware versions.

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Plaintext hardcoded email credentials in firmware directly match unsecured credentials stored in files/configuration, enabling extraction and use for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue…

affects Frick Controls Quantum HD version 10.22 and prior.

Deeper analysisAI

CVE-2026-21660 is a Hardcoded Email Credentials Saved as Plaintext in Firmware vulnerability (CWE-256: Plaintext Storage of a Password; also CWE-522) in Frick Controls Quantum HD version 10.22 and prior. The issue involves credentials stored in plaintext within the firmware, enabling unauthorized access, exposure of sensitive information, and potential misuse or system compromise.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable by remote attackers over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, allowing attackers to access email credentials, sensitive data, and potentially compromise the affected system.

Mitigation guidance is available in the CISA ICS Advisory ICSA-26-057-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01 and Johnson Controls security advisories at https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories.