External risk intelligence

Honeywell IQ4x Building Controllers Authentication Bypass

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-3611

Honeywell IQ4x controllers allow unauthenticated remote users to create administrative accounts via the web interface, potentially locking out legitimate operators and disrupting building control functions.

5Halo Surface Signal

Missing Authentication

Honeywell Iq4e Firmware

before 3.30

External exposure likelihood

Halo Surface Signal score for CVE-2026-3611

The device is a building management controller that exposes its full web-based HMI directly to the network. As an administrative interface accessible over HTTP, such systems are frequently designed or mistakenly configured for remote access to facilitate building management, making the management interface inherently public-facing or easily reachable in common deployment scenarios.

PCI scan relevance

PCI Relevance for CVE-2026-3611

Yes

CVE-2026-3611 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows an attacker to create an administrative account with no authentication, which is an automatic failure for PCI scans due to authentication bypass.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in Honeywell IQ4x building management controllers, allowing unauthenticated remote access to the system's web interface. This could permit unauthorized users to alter critical building controls, potentially disrupting operations or locking out legitimate administrators.

  • Unauthenticated access to building management controls.
  • Could disrupt operations or lock out administrators.
  • Confirm relevance and exposure to building systems.

Attack Path

How an attacker could exploit the issue

An attacker can reach the Honeywell IQ4x controller through its web interface, which is exposed by default without any authentication. This allows an unauthenticated remote user to access the system's administrative functions. By creating a new account with full privileges, the attacker can then lock out legitimate users and gain complete control over the device.

  • Unauthenticated network access required.
  • Attacker creates an administrative account.
  • Complete device control and lockout.

Live Threat

Current exploitation, exposure, and threat context

The Honeywell IQ4x building management controller's default configuration exposes its web interface without authentication. This allows an unauthenticated remote attacker to create an administrative account, enabling user module authentication and potentially locking out legitimate operators. No specific system data types or PII are mentioned as at risk in the provided context.

  • Building management controller access.
  • Remote attacker creates administrative credentials.
  • Legitimate operators could lose control.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Honeywell IQ4x building management controller's default configuration exposes its web interface without authentication, allowing remote attackers to establish administrative accounts and lock out legitimate users. This vulnerability resides within the operational technology (OT) infrastructure, likely managed by a combination of facilities management, IT infrastructure, and OT security teams. The immediate priority is to identify all deployed IQ4x controllers, assess their network reachability and criticality, and determine the responsible system owner for remediation planning.

  • Facilities or OT infrastructure teams own the issue.
  • Verify all IQ4x controller network reachability.
  • Plan remediation based on identified risk.

Frequently asked questions

What is the Honeywell IQ4x building management controller?

The Honeywell IQ4x is a controller used in building management systems. It manages and controls various aspects of a building's operations through a web-based interface.

What type of vulnerability is CVE-2026-3611?

CVE-2026-3611 is an authentication bypass vulnerability. This means an attacker can access system functions without proving their identity, specifically by creating an administrative account on the controller. This falls under the weakness class CWE-306.

How can an attacker exploit this vulnerability?

An attacker can exploit this by accessing the controller's web interface, which is exposed by default without authentication. They can then create a new administrative account, which enables authentication and allows them to take control of the system, potentially locking out legitimate users.

Who should be concerned about this threat?

Organizations with Honeywell IQ4x controllers that are accessible from the internet or internal networks are at risk. The Halo Surface Signal indicates this is a very likely threat because these management interfaces are often reachable remotely.

What is the first step to address this threat?

The first step is to identify all deployed Honeywell IQ4x controllers within your environment. You should then assess how reachable these controllers are from networks and determine who is responsible for managing these systems to plan for remediation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified