CVE-2026-3611

Name of the Vulnerable Software and Affected Versions Honeywell IQ4x building management controller (affected versions not specified)

Description The Honeywell IQ4x building management controller exposes its full web-based Human Machine Interface (HMI) without authentication in its factory-default configuration. When no user module is configured, security is disabled by design, and the system operates under a System Guest context, granting read/write privileges to anyone who can access the HTTP interface. Authentication is only enforced after a web user is created through the U.htm function, which dynamically enables the user module. Because this function is accessible before authentication, a remote user can create a new account with administrative read/write permissions, enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively prevent legitimate operators from accessing local and web-based configuration and administration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.