CVE-2026-3611

CRITICAL 10.0

Honeywell IQ4x BMS Controller Missing authentication for critical function

CVSS Score

10.0

EPSS Score

0.2%

EPSS Percentile

44th

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.

CWE	CWE-306
Vendor	honeywell
Product	iq4e
Published	Mar 12, 2026
Last Updated	Mar 30, 2026

Stay Ahead of the Next One

Get instant alerts for honeywell iq4e

Be the first to know when new critical vulnerabilities affecting honeywell iq4e are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High