PatchSiren cyber security CVE debrief
CVE-2026-21656 Unknown Vendor CVE debrief
CVE-2026-21656 is a critical vulnerability in Johnson Controls, Inc. Frick Controls Quantum HD. CISA’s advisory says insufficient validation of input in certain parameters may permit unexpected actions before authentication, with CVSS 3.1 rated 9.1 (Critical). The advisory was published on 2026-02-26 and includes SSVCv2 metadata dated 2026-02-25.
- Vendor
- Unknown Vendor
- Product
- Johnson Controls, Inc. Frick Controls Quantum HD <=10.22
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
OT/ICS operators running Frick Controls Quantum HD, especially environments using affected legacy versions; control-system administrators; plant engineering teams; incident responders; and integrators responsible for maintaining Johnson Controls industrial refrigeration or control deployments.
Technical summary
The source advisory describes an input-validation weakness in certain parameters that could trigger unexpected actions prior to authentication. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, indicating a network-reachable, low-complexity issue with no privileges or user interaction required and high integrity/availability impact. The source materials identify the product as Frick Controls Quantum HD <=10.22, while the remediation text also describes versions 10.22 through 11 as legacy platforms; both point to end-of-support legacy deployments and recommend upgrading to Quantum HD Unity version 12 or higher.
Defensive priority
High. This is a critical pre-authentication issue in an OT/ICS product, and the vendor guidance is to move off legacy platforms to a supported release.
Recommended defensive actions
- Upgrade affected systems to Quantum HD Unity version 12 or higher, following the vendor update procedure provided in the advisory.
- Treat Frick Controls Quantum HD deployments as legacy/end-of-support systems and prioritize replacement or migration planning if an immediate upgrade is not feasible.
- After upgrading, verify compliance with the hardening guide and apply all recommended security configurations.
- Review Johnson Controls Product Security Advisory JCI-PSA-2026-05 for detailed mitigation guidance.
- Validate which deployed versions are actually present in the environment, since the source materials contain version-range wording that should be confirmed during asset inventory.
Evidence notes
All statements are drawn from the supplied CISA CSAF advisory record for CVE-2026-21656 and its included remediation text. The advisory states: insufficient input validation may permit unexpected actions before authentication. It also provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H and remediation recommending upgrade to Quantum HD Unity v12 or higher. The source product/version text and remediation text use slightly different version ranges, so version inventory should be confirmed against the deployed asset list.
Official resources
-
CVE-2026-21656 CVE record
CVE.org
-
CVE-2026-21656 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CVE record on 2026-02-26. The source advisory includes SSVCv2 metadata dated 2026-02-25. No exploitation details beyond the advisory’s description are included here.