PatchSiren cyber security CVE debrief
CVE-2026-21657 Unknown Vendor CVE debrief
CVE-2026-21657 is a critical advisory for Johnson Controls' Frick Controls Quantum HD. CISA says insufficient validation of input in certain parameters may allow unexpected actions before authentication, creating a high-risk condition for operational environments. The supplied remediation guidance recommends moving legacy systems to Quantum HD Unity version 12 or higher and then confirming the hardening configuration.
- Vendor
- Unknown Vendor
- Product
- Johnson Controls, Inc. Frick Controls Quantum HD <=10.22
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
OT/ICS operators, plant engineers, industrial control system administrators, and integrators responsible for Johnson Controls Frick Controls Quantum HD deployments, especially systems exposed to remote access or broader internal networks.
Technical summary
CISA's advisory describes insufficient input validation in certain parameters that may permit unexpected actions before authentication occurs. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, indicating a network-reachable, unauthenticated attack path with high integrity and availability impact. The source corpus identifies the product as Frick Controls Quantum HD and notes legacy platforms as end of support; remediation guidance points to Quantum HD Unity version 12 or higher plus post-upgrade hardening checks. No KEV listing is included in the supplied enrichment.
Defensive priority
Immediate. Treat as a critical pre-authentication issue with potential for remote misuse and high operational impact. Prioritize inventory, exposure reduction, and remediation planning now.
Recommended defensive actions
- Identify all Frick Controls Quantum HD deployments and confirm the installed version(s) against the advisory scope.
- Plan and execute the vendor-recommended migration to Quantum HD Unity version 12 or higher.
- Use the provided update procedure from the advisory materials when performing the upgrade.
- After upgrading, verify compliance with the hardening guide and apply all recommended security configurations.
- Review control-system network exposure and limit access to management interfaces consistent with ICS defense-in-depth practices.
- Track Johnson Controls and CISA advisory updates for any scope clarifications or additional remediation guidance.
Evidence notes
The debrief is based on the CISA CSAF advisory ICSA-26-057-01 and its embedded remediation notes. The advisory text states that insufficient validation of input in certain parameters may permit unexpected actions before authentication occurs. The supplied metadata also records CVSS 9.1 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/C:N/I:H/A:H and references a product migration to Quantum HD Unity 12 or higher. Timing references use the advisory/CVE publication date of 2026-02-26 only; no later generation or review time is treated as the issue date. One source inconsistency remains in the supplied corpus: the product title metadata says <=10.22 while the remediation text describes versions 10.22 through 11 as legacy/end-of-support.
Official resources
-
CVE-2026-21657 CVE record
CVE.org
-
CVE-2026-21657 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICS Advisory ICSA-26-057-01 and the CVE record on 2026-02-26. No KEV listing is included in the supplied enrichment.