Honeywell IQ4x BMS Controller Missing authentication for critical function
Summary
| CVE | CVE-2026-3611 |
|---|---|
| State | PUBLISHED |
| Assigner | icscert |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-12 21:16:27 UTC |
| Updated | 2026-06-05 19:39:29 UTC |
| Description | The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration. |
Risk And Classification
Primary CVSS: v4.0 10 CRITICAL from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-306 | CWE-306 CWE-306 Missing authentication for critical function
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 10 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | CVSS | 10 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| 3.1 | [email protected] | Primary | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
HighSub Integrity
HighSub Availability
HighCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Honeywell | Iq412 | - | All | All | All |
| Operating System | Honeywell | Iq412 Firmware | All | All | All | All |
| Hardware | Honeywell | Iq41x | - | All | All | All |
| Operating System | Honeywell | Iq41x Firmware | All | All | All | All |
| Hardware | Honeywell | Iq422 | - | All | All | All |
| Operating System | Honeywell | Iq422 Firmware | All | All | All | All |
| Hardware | Honeywell | Iq4e | - | All | All | All |
| Operating System | Honeywell | Iq4e Firmware | All | All | All | All |
| Hardware | Honeywell | Iq4nc | - | All | All | All |
| Operating System | Honeywell | Iq4nc Firmware | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Honeywell | IQ4E | affected v3.50_3.44 4.36 (build 4.3.7.9) custom | Not specified |
| CNA | Honeywell | IQ412 | affected v3.50_3.44 4.36 (build 4.3.7.9) custom | Not specified |
| CNA | Honeywell | IQ422 | affected v3.50_3.44 4.36 (build 4.3.7.9) custom | Not specified |
| CNA | Honeywell | IQ4NC | affected v3.50_3.44 4.36 (build 4.3.7.9) custom | Not specified |
| CNA | Honeywell | IQ41x | affected v3.50_3.44 4.36 (build 4.3.7.9) custom | Not specified |
| CNA | Honeywell | IQ3 | affected v3.50_3.44 4.36 (build 4.3.7.9) custom | Not specified |
| CNA | Honeywell | IQECO | affected v3.50_3.44 4.36 (build 4.3.7.9) custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.honeywell.com/us/en/contact | [email protected] | www.honeywell.com | Product |
| github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-06... | [email protected] | github.com | Issue Tracking |
| www.cisa.gov/news-events/ics-advisories/icsa-26-069-03 | [email protected] | www.cisa.gov | Third Party Advisory, US Government Resource |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Gjoko Krstic of Zero Science reported this vulnerability to Honeywell. (en)
Additional Advisory Data
Workarounds
CNA: Honeywell is aware of the issue, but has not released a fix. For more information, contact Honeywell directly. [https://www.honeywell.com/us/en/contact](https://www.honeywell.com/us/en/contact).
There are currently no legacy QID mappings associated with this CVE.