CVE-2026-21658 Unknown Vendor CVE debrief

Who should care

OT and ICS asset owners, plant operators, control system engineers, and security teams responsible for Frick Controls Quantum HD deployments and supporting infrastructure.

Technical summary

The CISA CSAF advisory (ICSA-26-057-01) describes insufficient input validation in certain parameters of Frick Controls Quantum HD. The advisory indicates the flaw may allow unexpected actions prior to authentication. The supplied scoring is CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (9.1, critical).

Defensive priority

Immediate. This is a critical, pre-authentication issue in an industrial control product, so affected environments should prioritize upgrade planning and exposure reduction now.

Recommended defensive actions

• Inventory all Frick Controls Quantum HD systems and identify any legacy installations covered by the advisory.
• Upgrade to Quantum HD Unity version 12 or later using Johnson Controls' documented update procedure.
• After upgrading, verify compliance with the vendor hardening guide and apply the recommended security configurations.
• Review Johnson Controls Product Security Advisory JCI-PSA-2026-05 for additional mitigation guidance.
• Use CISA ICS recommended practices and defense-in-depth guidance to reduce exposure while remediation is underway.
• Validate backups and recovery procedures before making changes to production OT systems.

Evidence notes

Source evidence comes from CISA's CSAF advisory ICSA-26-057-01, published 2026-02-26 and listed in the corpus as the initial publication with no later revision. The source notes the issue can impact the device before authentication occurs and includes SSVCv2/E:N/A:Y dated 2026-02-25T07:00:00Z. The supplied enrichment shows no KEV listing.

Official resources