CVE-2026-21660 identifies a plaintext password storage vulnerability (CWE-256) in Johnson Controls' Frick Controls Quantum HD product, specifically versions 10.22 and earlier. The issue arises from hardcoded email credentials embedded in the firmware without encryption or adequate protection. Because these credentials are stored in plaintext, an attacker with local or physical access to the device can extract them, potentially gaining unauthorized access to email accounts or other systems relying on these credentials. The vulnerability does not require user interaction or prior authentication but does require local access, limiting remote exploitation. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) reflects that the attack vector is local, with low complexity, no privileges or user interaction needed, and high impact on confidentiality. This flaw could lead to exposure of sensitive information, unauthorized system control, or further lateral movement within a network. While no public exploits are currently known, the presence of hardcoded plaintext credentials is a significant security risk in industrial control environments. The affected product is widely used in building automation and HVAC systems, which are critical for operational continuity in commercial and industrial facilities.

The primary impact of this vulnerability is the compromise of confidentiality due to exposure of plaintext email credentials. This can lead to unauthorized access to email systems or other connected services, potentially enabling attackers to intercept sensitive communications or launch further attacks. The integrity and availability of the Frick Controls Quantum HD system could also be affected if attackers leverage the credentials to manipulate system settings or disrupt operations. Given the product’s role in building management and HVAC control, exploitation could result in operational disruptions, safety risks, or financial losses. Organizations relying on these systems may face increased risk of espionage, sabotage, or compliance violations. The requirement for local access limits the scope somewhat but does not eliminate risk, especially in environments with insufficient physical security or insider threats. The lack of known exploits suggests the threat is not yet widespread, but the vulnerability remains a significant risk if left unmitigated.

1. Apply firmware updates or patches from Johnson Controls as soon as they become available to remove hardcoded plaintext credentials. 2. If patches are not yet available, rotate or change any credentials associated with the affected devices to prevent unauthorized use. 3. Restrict physical and local network access to Frick Controls Quantum HD devices by implementing strong physical security controls and network segmentation. 4. Monitor logs and network traffic for unusual access patterns or attempts to extract credentials. 5. Employ endpoint detection and response (EDR) tools on management workstations to detect unauthorized local access attempts. 6. Conduct regular security audits and penetration testing focused on building management systems to identify and remediate similar vulnerabilities. 7. Educate facility management and IT staff on the risks of hardcoded credentials and the importance of securing industrial control systems. 8. Consider deploying multi-factor authentication and encryption for management interfaces where supported to reduce risk from credential exposure.