Summary
Successful exploitation of this vulnerability could allow an unauthorized attacker to access controller management settings, control components, disclose information, or cause a denial-of-service condition.
The following versions of Honeywell IQ4x BMS Controller are affected:
- IQ4E >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
- IQ412 >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
- IQ422 >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
- IQ4NC >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
- IQ41x >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
- IQ3 >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
- IQECO >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 10 | Honeywell | Honeywell IQ4x BMS Controller | Missing Authentication for Critical Function |
Background
- Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Government Services and Facilities, Healthcare and Public Health
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
CVE-2026-3611
The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.
Affected Products
Honeywell IQ4x BMS Controller
Honeywell
Honeywell IQ4E: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ412: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ422: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ4NC: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ41x: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ3: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQECO: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9
known_affected
Remediations
Mitigation
Honeywell is aware of the issue, but has not released a fix. For more information, contact Honeywell directly. https://www.honeywell.com/us/en/contact.
Relevant CWE: CWE-306 Missing Authentication for Critical Function
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Acknowledgments
- Gjoko Krstic of Zero Science reported this vulnerability to Honeywell
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
C
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: