PatchSiren cyber security CVE debrief
CVE-2026-21660 Unknown Vendor CVE debrief
CVE-2026-21660 affects Frick Controls Quantum HD and is caused by hardcoded credentials that can lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise. CISA published the advisory as ICSA-26-057-01 on 2026-02-26 and recommends upgrading to Quantum HD Unity version 12 or higher.
- Vendor
- Unknown Vendor
- Product
- Johnson Controls, Inc. Frick Controls Quantum HD <=10.22
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Owners and operators of Frick Controls Quantum HD deployments, OT/ICS security teams, plant engineers, and integrators supporting affected Quantum HD systems should review this advisory.
Technical summary
The advisory describes an access-control weakness caused by hardcoded credentials in Frick Controls Quantum HD. The supplied CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact with no integrity or availability impact in the score. The advisory also uses SSVCv2 notation with Exploitation: None and Automatable: None at publication time. Remediation guidance states that the affected Quantum HD platforms are legacy and end of support, and that operators should upgrade to Quantum HD Unity version 12 or higher, then verify compliance with the hardening guide and recommended security configurations.
Defensive priority
Medium to high for OT environments. Although the CVSS score is medium, hardcoded credentials in a legacy, end-of-support industrial control platform justify prompt remediation, especially where the affected system is operationally important.
Recommended defensive actions
- Upgrade affected Frick Controls Quantum HD installations to Quantum HD Unity version 12 or higher using the vendor’s update procedure.
- After upgrading, verify full compliance with the hardening guide and apply all recommended security configurations.
- Review related OT access-control practices to ensure hardcoded credentials or other embedded secrets are not left in use.
- Consult Johnson Controls Product Security Advisory JCI-PSA-2026-05 for additional mitigation guidance and coordinate changes with operations before making updates.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory ICSA-26-057-01 and the official CVE record. The advisory explicitly states that hardcoded credentials in Frick Controls Quantum HD can cause unauthorized access, exposure of sensitive information, and potential misuse or system compromise. The remediation section recommends upgrading to Quantum HD Unity version 12 or higher and references Johnson Controls Product Security Advisory JCI-PSA-2026-05. No KEV entry is present in the supplied corpus.
Official resources
-
CVE-2026-21660 CVE record
CVE.org
-
CVE-2026-21660 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICS Advisory ICSA-26-057-01 on 2026-02-26. The supplied data shows an initial publication revision only and no KEV listing.