Cyber Resilience

CVE-2026-21660

Medium

Published: 27 February 2026

Published
27 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-21660 is a medium-severity Plaintext Storage of a Password (CWE-256) vulnerability in Johnsoncontrols Frick Controls Quantum Hd Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2026-21660 is a Hardcoded Email Credentials Saved as Plaintext in Firmware vulnerability (CWE-256: Plaintext Storage of a Password; also CWE-522) in Frick Controls Quantum HD version 10.22 and prior. The issue involves credentials stored in plaintext within the firmware, enabling unauthorized access, exposure of sensitive information, and potential misuse or system compromise.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable by remote attackers over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, allowing attackers to access email credentials, sensitive data, and potentially compromise the affected system.

Mitigation guidance is available in the CISA ICS Advisory ICSA-26-057-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01 and Johnson Controls security advisories at https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue…

more

affects Frick Controls Quantum HD version 10.22 and prior.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Plaintext hardcoded email credentials in firmware directly match unsecured credentials stored in files/configuration, enabling extraction and use for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21656Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2026-21654Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2026-21658Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2026-21657Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2026-21659Same product: Johnsoncontrols Frick Controls Quantum Hd
CVE-2025-21111Shared CWE-256, CWE-522
CVE-2021-47961Shared CWE-256
CVE-2026-21417Shared CWE-256
CVE-2024-41336Shared CWE-256
CVE-2025-36258Shared CWE-256

Affected Assets

johnsoncontrols
frick controls quantum hd firmware
≤ 10.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires protecting authenticators from unauthorized disclosure, directly addressing plaintext storage of hardcoded email credentials in firmware.

prevent

SC-28 mandates protection of sensitive information at rest, preventing exposure of plaintext credentials embedded in firmware.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like hardcoded plaintext credentials in firmware versions.

References