CVE-2026-21659 is a vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) affecting Johnson Controls Frick Controls Quantum HD versions 10.22 and earlier. The vulnerability allows an unauthenticated remote attacker to exploit a local file inclusion (LFI) flaw, which can be leveraged to execute arbitrary code on the affected device. This occurs because the software fails to properly restrict file path inputs, enabling attackers to traverse directories and include unintended files. The consequence is remote code execution (RCE) without any authentication or user interaction, leading to full system compromise. The affected product is typically deployed in building automation and industrial control environments, where it manages HVAC and other critical systems. The CVSS 4.0 score of 8.7 indicates a high severity, with network attack vector, no required privileges, and no user interaction needed. Although no exploits are currently known in the wild, the vulnerability poses a significant risk due to the critical nature of the systems involved and the ease of exploitation. No patches are currently linked, so mitigation relies on network segmentation, access controls, and monitoring until a vendor fix is released.

The impact of CVE-2026-21659 is substantial for organizations using Johnson Controls Frick Controls Quantum HD, especially in sectors relying on building automation and industrial control systems. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary code remotely without authentication. This can result in unauthorized control over HVAC and other critical infrastructure components, potentially disrupting operations, causing physical damage, or enabling further lateral movement within networks. Information disclosure through LFI can expose sensitive configuration files or credentials, facilitating deeper attacks. The vulnerability threatens confidentiality, integrity, and availability of affected systems. Given the critical role of these systems in facilities management, exploitation could impact data centers, manufacturing plants, hospitals, and commercial buildings, leading to operational downtime, safety hazards, and financial losses.

1. Immediately implement network segmentation to isolate Frick Controls Quantum HD devices from untrusted networks, limiting exposure to potential attackers. 2. Employ strict access control lists (ACLs) and firewall rules to restrict inbound traffic to only trusted management networks. 3. Monitor network traffic and device logs for unusual file access patterns or unexpected remote connections indicative of exploitation attempts. 4. Disable any unnecessary services or interfaces on the affected devices to reduce attack surface. 5. Engage with Johnson Controls for updates and patches; prioritize testing and deployment of vendor-provided fixes once available. 6. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures tailored to detect path traversal and LFI attempts against these devices. 7. Conduct regular security assessments and penetration tests focused on building automation systems to identify and remediate similar vulnerabilities proactively. 8. Maintain an inventory of all affected devices and ensure they are tracked for timely patch management.