CVE-2026-21656
Code Injection in Johnson Controls Quantum HD Allows Pre-Auth Access
Publication date: 2026-02-27
Last updated on: 2026-03-02
Assigner: Johnson Controls
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| johnsoncontrols | frick_controls_quantum_hd_firmware | to 10.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Control of Generation of Code, also known as a Code Injection vulnerability, found in Johnson Controls Frick Controls Quantum HD devices. It occurs because the device does not sufficiently validate input in certain parameters, which may allow an attacker to inject and execute unexpected code or actions on the device before authentication.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized code execution on the affected device, potentially compromising its security. Since the issue occurs before authentication, an attacker could exploit it remotely without needing valid credentials, leading to unauthorized control or disruption of the device's functions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know