CVE-2026-21660

Johnson Controls-Frick Quantum HD-Hardcoded Email Credentials Saved as Plaintext in Firmware

CVSS 6.9 MEDIUMEPSS 0.2%CWE-256

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.9EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

27 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue affects Frick Controls Quantum HD version 10.22 and prior.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

Johnson Controls · Frick Controls Quantum HD

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories