PatchSiren cyber security CVE debrief
CVE-2026-21659 Unknown Vendor CVE debrief
CVE-2026-21659 is a high-severity OT vulnerability in Johnson Controls Frick Controls Quantum HD. According to the CISA advisory, an unauthenticated attacker can execute arbitrary code on the affected device, which can result in full system compromise. Because the issue is unauthenticated and remotely reachable in the CVSS vector, affected environments should treat this as an urgent remediation item.
- Vendor
- Unknown Vendor
- Product
- Johnson Controls, Inc. Frick Controls Quantum HD <=10.22
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Industrial control system owners, OT/ICS administrators, facility operators, and integrators running Frick Controls Quantum HD should prioritize this issue, especially where the device is exposed to untrusted networks or supports critical refrigeration and control operations.
Technical summary
The supplied CISA CSAF advisory describes CVE-2026-21659 as an unauthenticated arbitrary-code-execution vulnerability in Frick Controls Quantum HD, with potential for full system compromise. The provided CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, corresponding to a HIGH severity score of 7.5. The remediation guidance in the advisory recommends moving legacy Quantum HD platforms to Quantum HD Unity version 12 or higher and then applying the vendor’s hardening guidance.
Defensive priority
High. This is an unauthenticated RCE affecting an ICS/OT product, so exposure should be treated as urgent, particularly on production or remotely accessible systems.
Recommended defensive actions
- Identify all Frick Controls Quantum HD deployments and confirm whether they match the advisory’s affected scope.
- Plan and execute the vendor-recommended upgrade to Quantum HD Unity version 12 or higher, using the published update procedure.
- After upgrading, verify compliance with the vendor hardening guide and apply all recommended security configurations.
- Restrict network exposure to the device to only necessary management and operational paths while remediation is in progress.
- Monitor for unexpected device behavior, configuration changes, and anomalous network activity until remediation is complete.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-057-01, initially published on 2026-02-26, and the supplied CVE record metadata. The corpus indicates no KEV listing and no ransomware-campaign association. Vendor remediation guidance in the advisory recommends upgrading legacy Quantum HD platforms to version 12 or higher and then applying hardening recommendations.
Official resources
-
CVE-2026-21659 CVE record
CVE.org
-
CVE-2026-21659 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the associated CSAF advisory on 2026-02-26, which is the appropriate public disclosure date to use for this issue. The supplied corpus does not include a separate exploit-release date or any KEV due date.