Honeywell IQ4x building management system exposes web interface without password in default config

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

10.0

Honeywell IQ4x building management system exposes web interface without password in default config

CVE-2026-3611

Summary

The Honeywell IQ4x building management system has a default security setting that makes it possible for anyone to access its web interface without a password. This can allow unauthorized users to create new accounts with full access, potentially locking out legitimate operators from managing the system. To fix this, users should configure a user module and set up authentication as soon as possible.

Original title

Original description

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.

nvd CVSS3.1 10.0

nvd CVSS4.0 10.0

Vulnerability type

CWE-306 Missing Authentication for Critical Function

Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026