Description
The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.
Published: 2026-03-12
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Administrative Access
Action: Contact Vendor
AI Analysis

Impact

The Honeywell IQ4x building‑management controller exposes its full web‑based HMI without authentication when the device is in its factory‑default configuration. Because the user module is disabled until a new account is created via the U.htm page, an unauthenticated remote user can establish a new administrative account with read/write privileges. This creates a privilege‑escalation path that can lock out legitimate operators and grant the attacker full configuration control, a flaw identified as CWE‑306 Missing Authentication for a Critical Function.

Affected Systems

Affected products include Honeywell IQ3, IQ412, IQ41x, IQ422, IQ4E, IQ4NC, and IQECO. The vulnerability manifests when any of these controllers remain in the default state with no authentication enabled. No specific version ranges are quoted; thus any listed device in the default, unconfigured state is potentially vulnerable.

Risk and Exploitability

The CVSS score of 10 indicates critical severity, and the EPSS score of less than 1% suggests limited historical exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely over the unsecured HTTP interface without special privileges, create a privileged account, and then deny legitimate users access to the controller.

Generated by OpenCVE AI on March 18, 2026 at 15:50 UTC.

Remediation

Vendor Workaround

Honeywell is aware of the issue, but has not released a fix. For more information, contact Honeywell directly. [https://www.honeywell.com/us/en/contact](https://www.honeywell.com/us/en/contact).

OpenCVE Recommended Actions

  • Contact Honeywell directly for official guidance and any forthcoming fixes
  • Restrict external network access to the IQ4x HTTP interface by placing the device behind a firewall or VLAN that only trusted components can reach
  • Disable the default guest account and prevent the user module from being enabled until the network is secured
  • Create administrative accounts only after ensuring that the HTTP interface is protected and no unauthorized access is possible
  • Monitor the device for any unauthorized account creation or configuration changes

Generated by OpenCVE AI on March 18, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Honeywell
Honeywell iq3
Honeywell iq412
Honeywell iq41x
Honeywell iq422
Honeywell iq4e
Honeywell iq4nc
Honeywell iqeco
Vendors & Products Honeywell
Honeywell iq3
Honeywell iq412
Honeywell iq41x
Honeywell iq422
Honeywell iq4e
Honeywell iq4nc
Honeywell iqeco

Thu, 12 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.
Title Honeywell IQ4x BMS Controller Missing authentication for critical function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-30T15:26:08.604Z

Reserved: 2026-03-05T18:12:38.425Z

Link: CVE-2026-3611

cve-icon Vulnrichment

Updated: 2026-03-13T18:02:56.756Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T21:16:27.693

Modified: 2026-03-13T20:06:54.667

Link: CVE-2026-3611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:05:17Z

Weaknesses