Frick Quantum HD CVEs Drive Pre-Auth RCE Risk in Industrial Refrigeration

Johnson Controls’ Frick Controls Quantum HD family has been pushed into the center of a new industrial‑control security storm after a coordinated advisory flagged a cluster of high‑severity remote vulnerabilities that — if chained or exploited at scale — could let unauthenticated attackers run commands, leak sensitive configuration and credential data, or disrupt refrigeration operations used across food‑supply and manufacturing environments. rview
Frick Controls’ Quantum HD controllers are field‑deployed industrial refrigeration controllers used widely in food and beverage, cold‑storage, and process‑cooling installations. These systems manage compressors, evaporators, condensers and auxiliary equipment, and are frequently integrated into facility management and building‑automation networks. Johnson Controls markets Quantum HD both as an OEM control solution and as part of Frick branded refrigeration systems, and the product family has previously been the subject of coordinated vendor and government advisories.
On February 26, 2026, a CISA advisory published under the Industrial Control Systems advisories series identified a set of six related CVEs affecting Frick Controls Quantum HD firmware/stack releases (CVE‑2026‑21654, CVE‑2026‑21656, CVE‑2026‑21657, CVE‑2026‑21658, CVE‑2026‑21659, CVE‑2026‑21660). The advisory rates the combined impact for vendor‑equipment environments as very high (CVSS vendor equipment vulnerabilities v3: 9.1) and describes fault classes including OS command injection, code injection, relative path traversal, and plaintext storage of passwords — failure modes that can produce pre‑authentication remote code execution (RCE), information disclosure, and denial‑of‑service (DoS)tly calls out Frick Controls Quantum HD versions ≤ 10.22 as affected. The vulnerabilities were reported to CISA by Noam Moshe of Claroty’s Team82 research group.
This latest advisory follows a recent history in which Frick/Johnson Controls has remediated other high‑impact issues in Quantum HD/Quantum HD Unity products — including a November 2023 CISA advisory about exposed debug functionality (CVE‑2023‑4804) that carried a maximum CVSS score and prompted vendor patches. That precedent is important because it shows both the operational significance of these controllers and the industry’s limited tolerance for leaving critical refrigeration control assets internet‑exposed.

---

What the Flaws Are (Technical Summary)​

The vulnerability classes, explained​

• OS command injection (CWE‑78 / similar): Input that is passed to an OS shell without proper sanitization can be shaped by an attacker to cause execution of arbitrary system commands. In an Ian altering control logic, invoking firmware utilities, or spawning backdoor processes that persist through reboots. The CISA advisory lists OS command‑injection style weaknesses among the findings.
• Code injection / improper code generation: These weaknesses arise when external data is incorporated iripting contexts without validation, allowing attacker‑controlled payloads to execute in privileged process space. The advisory groups one or more of the CVEs under this class.
• Relative path traversal: A classic web and file‑I/O problem where crafted path elements (e.g., “../”) allow an attacker to escape intended directories and read or write files outside a permitted location. On an embedded controller, this can reveal credential files or configuration blobs. The advisory documents this as another identified weakness.
• Plaintext storage of passwords / insufficient credential protection: Storing secrets without robust encryption (or with reversible/insufficient protection) creates a single‑step path to credential theft and lateral movement. The advisory calls out plaintext password storage as a distinct liability.

Collectively these weaknesses form a realistic attack surface: an unauthenticated remote request could leverage a path‑traversal bug to read a password file, then re‑use or escalate that access to inject commands and run code as the local service account.

Affected versions and exposure profile​

CISA specifies that Quantum HD versions ≤ 10.22 are affected by these particular issues. That version‑range callout narrows the operator action to two immediate checks: (1) inventory controllers and verify firmware version strings, and (2) determine whether any affected panels are reachable from enterprise or public netphasizes that these products are deployed worldwide and notes the food and agriculture sector as an especially sensitive critical‑infrastructure consumer.

---

Who Discovered and Reported It​

The coordinated disclosure credits Noam Moshe of Claroty’s Team82 research unit with the report to CISA. Team82 has a track record of ICS and building‑management research and has been publicly credited for multiple high‑impact disclosures that impacted HVAC, BMS and industrial control product lines. Claroty’s public materials and press releases outline Team82’s focus on BMS and OT exposures, supporting the advisory’s attribution.

---

Immediate Risk and Real‑World Implications​

Why refrigeration controllers matter beyond temperature readings​

At first glance, refrigeration controllers may appear to be low‑value targets compared with PLCs in power plants or gas pipeline SCADA systems. That assessment misses scale and consequence. Industrial refrigeration systems:

• Maintain cold chains for food safety and medicines.
• Control physical actuators that, when misconfigured, can damage equipment or stored product.
• Are often networked into building management systems and occasionally bridged to enterprise monitoring, creating lateral movement pathways.

Compromising a fleet of Quantum HD controllers could therefore produce business‑disrupting outages, expensive spoilage, or safety incidents — outcomes that are attractive to ransomware operators or others seeking disruption. The 2023 Quantum HD Unity advisory and subsequent reporting showed how debug‑exposure flaws translated to full administrative control in lab tests; attackers only need remote access and a chain of simpler bugs to repeat that pattern.

Likely attack scenarios​

• An unauthenticated, internet‑facing panel is probed and path traversal is used to read a plaintext credential file.
• The stolen credential is used to authenticate to an internal API or engineering tool, enabling authenticated code injection or firmware update manipulation.
• Privileged commands are invoked to change setpoints, disable alarms, or install persistence — culminating in DoS or silent sabotage of stored goods.

Because CISA rates these as pre‑authentication RCE and information‑leak vector classes, the ow enough that opportunistic adversaries (and advanced actors) should be considered capable of exploitation. CISA reports no confirmed public exploitation at the advisory’s release, but no reported exploitation does not equal no risk — time‑to‑patch in OT environments is often measured in months and many systems remain reachable from business networks or even the internet.

---

Vendor and Government Actions to Date​

Johnson Controls maintains an active product security advisories page and historically issued advisories for Quantum HD variants; the vendor has produced firmware updates for Quantum HD‑family vulnerabilities in prior incidents (including the November 2023 debug code disclosure). For the current February 2026 CISA advisory, CISA’s recommendations focus on rapid network hardening and exposure reduction while vendors coordinate patches. Operators should expect Johnson Controls to publish product‑specific mitigations or firmware updates; however, as of the advisory’s initial release, patch availability and vendor timelines may vary by model and region, and operators must treat remediation as an urgent prioritization problem.

---

Recommended Defensive Measures (What Operators Must Do Now)​

CISA’s guidance is deliberapragmatic. For control‑system owners and integrators, immediate actions should be prioritized and documented. Below is an operational checklist designed for facilities running Frick Quantum HD controllers.

Short‑term (hours to days)​

• Isolate vulnerable panels from the internet. Remove any direct public exposure and block external access at the perimeter firewall. If panels are internet‑exposed, assume compromise risk until patched.
• Segment OT networks. Place Quantum HD controllers on a dedicated OT VLAN with strict rules preventing lateral access from general enterprise endpoints.
• Block known management ports. Use allow‑lists for management traffic and restrict access to explicit trusted IPs or jump hosts.
• Audit remote‑access tools. Disable vendor remote‑support services if they are not needed, and require MFA and an audited jump host for any remote sessions.
• Hunt for anomalous activity. Look for unusual firmware‑update events, unexplained reboots, or unexpected outbound connections from controllers.

Medium‑term (days to weeks)​

• Inventory and prioritize patching. Produce an accurate version inventory of all Quantum HD controllers (firmware, hardware revision), prioritize high‑exposure units, and schedule firmware updates when vendor patches are available.
• Rotate and vault credentials. Treat any plaintext or suspiciously stored passwords as compromised; rotate operator passwords and move secrets into an OT‑oriented vault solution.
• Deploy host/network detection. Implement IDS/IPS signatures and EDR for engineering workstations that interact with Quantum HD panels; add monitoring for path‑traversal style HTTP requests or command‑injection patterns.
• Apply principle of least privilege. Ensure service accounts and maintenance tools run with minimal privileges necessary, and restrict engineer workstation capabilities.

Longer‑term (months)​

• Replace or retrofit legacy units. If a controller is no longer receiving vendor security updates, plan for replacement or a field retrofit kit that modernizes the control plane. Johnson Controls advertises retrofit options for Quantum HD; consider them for aging fleets. (johnsoncontrols.com)
• Embed OT change control and CIEM. Adopt rigorous change‑control processes for firmware updates, and extend identity and entitlement management into OT.
• Build and test incident playbooks. Train facilities teams on incident response that includes physical safety checks (e.g., manual interlocks) and supplier escalation paths.

Operators should perform an impact analysis before deploying any defensive measure that could affect plant operations — CISA explicitly reminds organizations to balance availability and safety when hardening ICS assets.

---

Why This Disclosure Matters for Food & Agriculture and Beyond​

Refrigeration controllers sit at a nexus of operations and supply‑chain risk. A coordinated sabotage or even a targeted ransomware attack that compromises control logic across multiple cold‑storage facilities can generate cascading economic and public‑health effects. CISA’s disciplinary focus on these product categories underscores broader federal concern about the resilience of food‑supply infrastructure, and it mirrors Claroty Tea pervasive exposure of building‑management and industrial control devices to known exploitable vulnerabilities. The present advisory is a practical reminder that BMS/ICS devices remain an attractive and underprotected attack surface.

---

Strengths and Limitations of the Advisory and the Public Information​

Strengths​

• Clear, actionable mitigation posture: CISA’s recommendations are practical and prioritize immediate exposure reduction, which is critical when zero‑day chaining can enable severe impacts.
• Attribution to a named researcher and researcher team: The involvement of Claroty’s Team82 provides reproducibility and credibilitonsible disclosures in BMS/ICS space increase confidence in the technical assessment.
• Vendor history of patching: Johnson Controls hasand pushed remediation for Quantum HD/Unity issues in the past, indicating vendor engagement and an operational pathway for updates.

Limitations and uncertainties​

• Patch availability and rollout timing are uncertain at publication: Vendor‑level fixes for all models/regions can lag, and CISA’s advisory is a defensive stopgap until fully tested vendor firmware is widely available. Operators must plan for windows of residual risk.
• Public exploit code and proof‑of‑concepts may appear quickly: The advisory notes no known public exploitation at release, but historically the window between advisory publication and exploit availability can be short for attractive ICS targets. Monitor threat feeds and prioritize scanning.
• Incomplete external documentation in public indexes: As of this advisory’s release, public CVE database entries, vendor KB articles, and third‑party vulnerability trackers may lag formal advisory content; operators should rely on the vendor and CISA coordination channels for authoritative patch and mitigation instructions. If you cannot independently verify a vendor‑patched version for your model, treat the device as vulnerable.

---

Practical Incident Response Checklist (Step‑by‑Step)​

• Immediately isolate any Quantum HD panel confirmed (or suspected) to be running firmware ≤ 10.22 from enterprise and internet‑facing networks.
• Capture a forensic snapsles, system logs, and firmware version strings — before applying updates. Maintain chain‑of‑custody.
• Rotate all operator/showback credentials that are stored or used by the controller. Assume plaintext storage equals compromise.
• Apply vendor‑supplied firmware updates as soon as they are validated in lab or testbed conditions; do not push blindly to production without a rollback plan.
• Monitor for indicators of compromise: unexpected outbound connections, new user accounts, sudden changes to setpoints, or disabled alarms.
• If evidence of compromise is found, engage incident response teams and notify the vendor and CISA through established reporting channels. CISA encourages organizations to report observed malicious activity for tracking and correlation.

---

Broader Takeaways: What This Means for OT Security Strategy​

• Inventory and exposure management remain the linchpin of OT security. Knowing exactly which models and firmware versions are present across facilities is foundational; without that, prioritization is guesswork. Claroty’s exposure research highlights how frequently KEVs are present in BMS and related devices.
• Defense‑in‑depth is non‑optional for OT. Network segmentation, least privilege, credential vaulting, and monitored remote access reduce single‑point failures when vendor patches are delayed.
• Vendors and researchers must continue to collaborate. Rapid disclosure and coordinated patching cycles — combined with preexisting retrofit paths or modernized control kits — improve resilience, but the industry still needs faster vendor patch cadence and clearer operational guidance for OT operators. Johnson Controls’ past advisories show this is possible; the current advisory should be treated as a test of the vendor–operator–agency response chain.

---

Final Word to Operators​

Treat this advisory as urgent. Immediately inventory Quantum HD instances in your estate, verify network exposure, and apply the containment steps above. If you rely on third‑party integrators for quantum‑HD maintenance, demand proof of patched firmware and insist on evidence‑based change management. The combination of pre‑auth RCE and plaintext credential exposure is precisely the sort of vulnerability mix that enables rapid operational compromise — and for food and agriculture operators, the stakes are uniquely high.
For more detailed, device‑specific remediation steps, consult your Johnson Controls product‑security advisories and CISA’s ICS guidance. If you observe suspicious or malicious activity, escalate through your internal incident response channels and report to CISA for correlation with other incidents.

---

Acknowledgments: The public advisory credits Noam Moshe of Claroty Team82 for reporting the issues; Claroty’s Team82’s ongoing research into BMS exposures provides important empirical context for why these devices deserve prioritized hardening.
Conclusion
The Frick Controls Quantum HD advisory is a timely reminder that embedded industrial controllers — even ones focused on refrigeration — are mission‑critical assets that must be managed with the same urgency as enterprise servers. Quick, disciplined mitigation (isolation, segmentation, credential management) combined with a deliberate patch program is the only reliable path to reduce operational risk while vendors produce fully validated fixes.

---

Source: CISA Johnson Controls, Inc. Frick Controls Quantum HD | CISA