PatchSiren cyber security CVE debrief
CVE-2026-21654 Unknown Vendor CVE debrief
CVE-2026-21654 affects Johnson Controls Frick Controls Quantum HD versions up to 10.22. According to CISA, insufficient validation of input in certain parameters may permit unexpected actions before authentication occurs. The advisory was published on 2026-02-26 and assigns a critical CVSS 3.1 score of 9.1. CISA recommends upgrading legacy systems to Quantum HD Unity version 12 or later.
- Vendor
- Unknown Vendor
- Product
- Johnson Controls, Inc. Frick Controls Quantum HD <=10.22
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
OT and industrial control system owners, plant operators, controls engineers, system integrators, and security teams responsible for Frick Controls Quantum HD deployments, especially environments still running legacy versions 10.22 through 11.
Technical summary
The supplied advisory describes a pre-authentication weakness in Frick Controls Quantum HD where certain inputs are not sufficiently validated, allowing unexpected actions that could affect device security. The advisory identifies affected legacy platforms as versions 10.22 through 11, with remediation centered on upgrading to Quantum HD Unity version 12 or higher and then applying the vendor hardening guidance. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.
Defensive priority
High. This is a critical, network-reachable, pre-authentication issue on an OT product line that the advisory says is legacy and end-of-support. Prioritize patch planning, upgrade execution, and compensating controls for exposed or reachable devices.
Recommended defensive actions
- Upgrade Frick Controls Quantum HD legacy systems to Quantum HD Unity version 12 or higher using the vendor update procedure referenced in the advisory.
- After upgrading, verify compliance with the hardening guide and apply all recommended security configurations.
- Review network exposure and restrict access to affected OT devices to only required management and operational paths.
- Use the CISA advisory and Johnson Controls security advisory to confirm product scope, supported versions, and remediation steps before change windows.
- Document any systems that cannot be upgraded immediately and apply compensating controls while tracking them for remediation.
Evidence notes
The debrief is based only on the supplied CISA CSAF advisory data for ICSA-26-057-01 / CVE-2026-21654. The source states the issue is due to insufficient input validation, can affect security before authentication, and rates severity at CVSS 9.1. It also states the affected legacy platforms are end of support and recommends upgrading to Quantum HD Unity version 12 or higher. No KEV listing or ransomware-campaign linkage is present in the supplied corpus.
Official resources
-
CVE-2026-21654 CVE record
CVE.org
-
CVE-2026-21654 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CVE record on 2026-02-26. The supplied material does not indicate KEV inclusion, exploit publication, or known ransomware use.