CRITICAL🇵🇱 Wersja polska

CVE-2026-3611

CVSS 10.0v4.0pub. 2026-03-12upd. 2026-06-05

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.

🤖 AI Analysis
How it works

In the factory configuration, the user module is not activated, and the system operates in the context of a System Guest account (level 100) with read and write permissions for each HTTP client. Authentication control is only enabled after the first web user is created through the U.htm page, which dynamically activates the user module. Since the U.htm page is accessible before authentication, a remote attacker can create a new administrative account with read and write privileges without any credentials, thereby activating the authentication module under their controlled credentials. As a result, legitimate operators lose access to both local and web configuration of the device.

Impact

An attacker can remotely and without authentication gain full administrative privileges to the building controller, modify its configuration, and permanently block access to legitimate operators by taking over the authentication mechanism.

Mitigation & patch

The web user account must be configured immediately through the U.htm page to activate the authentication module and enforce access control. The device should not be exposed to publicly accessible networks without prior authentication configuration. Patches available from the manufacturer should be applied according to references (ICSA-26-069-03) and CISA recommendations should be reviewed at https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03

Who is affected

Honeywell IQ4x building management controller in factory configuration (without configured user module); specific versions indicated in manufacturer references (ICSA-26-069-03)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Honeywell Iq412

    HW
    Honeywell
    wszystkie wersje
  • Honeywell Iq412 Firmware

    OS
    Honeywell
    < 3.30
  • Honeywell Iq41x

    HW
    Honeywell
    wszystkie wersje
  • Honeywell Iq41x Firmware

    OS
    Honeywell
    < 3.30
  • Honeywell Iq422

    HW
    Honeywell
    wszystkie wersje
  • Honeywell Iq422 Firmware

    OS
    Honeywell
    < 3.30
  • Honeywell Iq4e

    HW
    Honeywell
    wszystkie wersje
  • Honeywell Iq4e Firmware

    OS
    Honeywell
    < 3.30
  • Honeywell Iq4nc

    HW
    Honeywell
    wszystkie wersje
  • Honeywell Iq4nc Firmware

    OS
    Honeywell
    < 3.30
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-2605CRITICAL9.9PL ✓ten sam vendor

OS Command Injection w Honeywell MB-Secure i MB-Secure PRO (privilege abuse)

CVE-2024-2422CRITICAL9.3PL ✓ten sam vendor

Uwierzytelniony RCE w LenelS2 NetBox (wersje do 5.6.1 włącznie)

CVE-2024-2421CRITICAL9.3PL ✓ten sam vendor

Nieuwierzytelniony RCE w Honeywell LenelS2 NetBox (command injection)

CVE-2023-5389CRITICAL9.1PL ✓ten sam vendor

Nieautoryzowana modyfikacja plików w Honeywell ControlEdge UOC i VirtualUOC

CVE-2023-3710CRITICAL9.9ten sam vendor

Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Com...