Critical Authentication Bypass in Honeywell IQ4x BMS Controllers Allows Remote Takeover

CISA reports critical flaws in Honeywell IQ4x Building Management System (BMS) controllers. The vulnerability, identified by researcher Gjoko Krstic of Zero Science allows unauthenticated users to gain full administrative access to the devices, potentially disrupting building operations and environmental controls. 

The vulnerability is tracked as CVE-2026-3611 (CVSS score 10.0) - A missing authentication vulnerability in the web-based HMI that allows remote attackers to create administrative accounts. In factory-default settings, the system operates with a "System Guest" profile providing full read/write access because the user module is disabled. Attackers can access the U.htm page to set up a new user, which then enables the authentication module under their control, effectively locking out legitimate operators.

Exploiting this flaw allows attackers to change controller management settings and manipulate physical building components. This can lead to a total denial-of-service (DoS) for environmental controls or the theft of sensitive operational data. Because the attacker can define their own credentials during the setup process, they can permanently hijack the device's local and web-based administration interfaces, preventing authorized staff from regaining control.

The following Honeywell IQ4x BMS Controller versions are affected:

• IQ4E, IQ412, IQ422, IQ4NC, and IQ41x (Firmware v3.50_3.44 to versions prior to 4.36_build_4.3.7.9)
• IQ3 and IQECO (Firmware v3.50_3.44 to versions prior to 4.36_build_4.3.7.9)

Honeywell has not yet released a firmware patch to fix this critical vulnerability. Organizations should contact Honeywell for specific guidance on securing their installations. Administrators should isolate these controllers from the public internet and placing them behind firewalls or within secure VPNs.