Home / Vulnerability Intelligence / CVE-2026-21654

CVE-2026-21654 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 2, 2026

Johnson Controls Frick Controls Quantum HD - OS Command Injection

Published: February 27, 2026Updated: March 2, 2026Remote Exploitable

Overview

Johnson Controls Frick Controls Quantum HD <= 10.22 contains an OS command injection caused by improper neutralization of special elements, letting attackers execute arbitrary OS commands remotely, exploit requires network access.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 11.8%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary OS commands, potentially leading to full system compromise.

Mitigation

Update to a version later than 10.22 or the latest available version.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 2, 2026

🔴 CVE-2026-21654 - Critical (9.8) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection. Insufficient validation of input in certain parameters may permit ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-21654/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-21654
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: confirmed
EPSS: 11.8%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

11.8%Probability of exploitation in the next 30 days