Description
Honeywell IQ MultiAccess, all versions prior to and including version 28, contain an improper digital signature verification vulnerability. An attacker could potentially exploit this vulnerability, leading to the replacement of downloaded file with a malicious one. Honeywell also recommends updating to the most recent version of this product, service, or offering [V27 SP1, V28 SP1]
Published: 2026-06-29
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Honeywell IQ MultiAccess implements signature checks on downloaded content, but versions prior to and including 28 fail to verify the digital signature before launching the file. The flaw allows an attacker to replace the originally intended content with a malicious artifact, potentially turning any subsequent execution into arbitrary code on the device. The impact therefore entails unauthorized code execution on systems using the affected firmware, exposing data integrity and availability to compromise.

Affected Systems

The affected product is Honeywell IQ MultiAccess. All releases up to and including Version 28, including V27 SP1 and V28 SP1, are vulnerable. Devices running those firmware images are at risk of having their downloads replaced with malicious content.

Risk and Exploitability

The vulnerability has a CVSS score of 5.9, placing it in the medium severity range. No EPSS score is provided, and it is not listed in the CISA KEV catalog, indicating no confirmed exploitation in the field. The likely attack vector involves exploitation of the download or update mechanism, where a malicious source provides a payload that bypasses signature verification. Thus, while the formal exploitation likelihood appears low, a compromised download channel could still be used to inject malicious files, warranting precautionary measures.

Generated by OpenCVE AI on June 29, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Roll the device firmware up to the latest Honeywell IQ MultiAccess release that includes proper signature verification
  • If an immediate upgrade is unavailable, disable any automatic execution of downloaded files or require manual review before deployment
  • Verify that any update or download originates from a trusted, signed source and periodically audit the device for unauthorized file changes

Generated by OpenCVE AI on June 29, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Honeywell IQ MultiAccess, all versions prior to and including version 28, contain an improper digital signature verification vulnerability. An attacker could potentially exploit this vulnerability, leading to the replacement of downloaded file with a malicious one. Honeywell also recommends updating to the most recent version of this product, service, or offering [V27 SP1, V28 SP1]
Title Lack of signature verification before execution of downloaded content
Weaknesses CWE-367
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Honeywell

Published:

Updated: 2026-06-29T16:24:20.095Z

Reserved: 2026-06-29T15:10:48.921Z

Link: CVE-2026-13742

cve-icon Vulnrichment

Updated: 2026-06-29T16:24:17.094Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T17:30:06Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition