Honeywell IQ4x BMS Controller Vulnerability Advisory
Honeywell IQ4x BMS Controller Vulnerability Advisory π¨
A critical vulnerability has been identified in the Honeywell IQ4x Building Management System (BMS) Controller. Successful exploitation of this vulnerability (CVE-2026-3611) could allow unauthorized access to controller management settings, control components, disclose sensitive information, or even cause a denial-of-service condition.
Key Details:
- Vulnerability ID: CVE-2026-3611
- Severity: High
- Affected Versions:
IQ4E >=Firmware_v3.50_3.44 <4.36_build_4.3.7.9 IQ412 >=Firmware_v3.50_3.44 <4.36_build_4.3.7.9 IQ422 >=Firmware_v3.50_3.44 <4.36_build_4.3.7.9 IQ4NC >=Firmware_v3.50_3.44 <4.36_build_4.3.7.9 IQ41x >=Firmware_v3.50_3.44 <4.36_build_4.3.7.9 IQ3 >=Firmware_v3.50_3.44 <4.36_build_4.3.7.9 IQECO >=Firmware_v3.50_3.34 <4.36_build_4.3.7.9
Impact:
The controller exposes its full web-based Human-Machine Interface (HMI) without authentication in its factory-default configuration. This means that any unauthorized user can gain read/write privileges if they can access the HTTP interface.
Recommendations:
CISA recommends that users take defensive measures to minimize the risk of exploitation. These measures include:
- Minimizing network exposure for all control system devices.
- Ensuring devices are not accessible from the internet.
- Using firewalls to isolate control system networks from business networks.
- Implementing secure remote access methods, such as Virtual Private Networks (VPNs).
For more detailed information, please refer to the full advisory here: Read full article
Stay safe and secure! π