CVE-2026-3611

Summary

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.

Affected Software

VendorProductVersion RangeStatus
HoneywellIQ4Ev3.50_3.44 <= 4.36 (build 4.3.7.9)affected
HoneywellIQ412v3.50_3.44 <= 4.36 (build 4.3.7.9)affected
HoneywellIQ422v3.50_3.44 <= 4.36 (build 4.3.7.9)affected
HoneywellIQ4NCv3.50_3.44 <= 4.36 (build 4.3.7.9)affected
HoneywellIQ41xv3.50_3.44 <= 4.36 (build 4.3.7.9)affected
HoneywellIQ3v3.50_3.44 <= 4.36 (build 4.3.7.9)affected
HoneywellIQECOv3.50_3.44 <= 4.36 (build 4.3.7.9)affected

Weaknesses

  • CWE-306: CWE-306 Missing authentication for critical function

Workarounds

Honeywell is aware of the issue, but has not released a fix. For more information, contact Honeywell directly. https://www.honeywell.com/us/en/contact.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References