CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Johnson Controls Patches Critical Vulnerability in Industrial Refrigeration Products

Johnson Controls has patched a critical vulnerability that can be exploited to take complete control of Frick industrial refrigeration products. 

Johnson Controls

Johnson Controls recently announced patches for a critical vulnerability found by an external researcher in some of its industrial refrigeration products.

According to advisories published by Johnson Controls and the US cybersecurity agency CISA, the flaw, tracked as CVE-2023-4804, can “allow an unauthorized user to access debug features that were accidentally exposed”.

Impacted products include Frick Quantum HD Unity Compressor, AcuAir, Condenser/Vessel, Evaporator, Engine Room, and Interface control panels. 

Frick refrigeration products are advertised by the vendor for the food and beverage industry. According to CISA, the impacted products are used worldwide, including in the critical manufacturing sector.

Johnson Controls has released updates for each of the impacted control panels to patch the vulnerability, which has been assigned a CVSS score of 10.

The researcher who reported the flaw to Johnson Controls told SecurityWeek that the vulnerability could allow an attacker to take full administrative control of a Quantum HD system.

It’s unclear exactly what an attacker could achieve by exploiting this particular product in a real world environment but, in general, cyberattacks targeting refrigeration systems could be used to cause disruption and financial damage. For example, by changing temperature settings, an attacker could reduce the lifespan or quality of stored goods. 

In the case of Quantum HD products, the researcher said there are at least a handful of systems located in North America that are exposed to the internet and may be vulnerable to attacks. 

According to the researcher, it took Johnson Controls roughly six months to roll out the patches.

Advertisement. Scroll to continue reading.

“[Johnson Controls International] was a pleasure to work with. First off, they actually have a responsible disclosure process, and a product security team. That’s more than many ICS/SCADA vendors can claim. Their team was very responsive,” the researcher noted. “It took longer than originally anticipated to release the patch, because as they continued to dig in, they found that the impact was wider than originally anticipated and they wanted to fix all the platforms at the same time.”

The researcher also made an interesting point about how the vulnerability may have ended up in a Johnson Controls product. 

“It seems as this was a deeper ‘software supply chain’ issue, as the original vendor was Frick, who was bought by York, who became part of Johnson Controls,” the researcher said. “That speaks to the larger issue of due diligence during mergers and acquisitions.” 

“I was rather surprised to be the first one to have reported the issue, given its low attack complexity. That leads me to believe that they didn’t have visibility to it because it was two levels deep in the noise of acquisitions,” the expert added.

Related: Johnson Controls Ransomware Attack Could Impact DHS

Related: Johnson Controls Hit by Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.