VYPR
Critical severity10.0NVD Advisory· Published Mar 12, 2026· Updated Jun 5, 2026

CVE-2026-3611

CVE-2026-3611

Description

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

13
  • cpe:2.3:o:honeywell:iq412_firmware:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:honeywell:iq412_firmware:*:*:*:*:*:*:*:*range: <3.30
    • cpe:2.3:o:honeywell:iq41x_firmware:*:*:*:*:*:*:*:*range: <3.30
    • cpe:2.3:o:honeywell:iq422_firmware:*:*:*:*:*:*:*:*range: <3.30
    • cpe:2.3:o:honeywell:iq4nc_firmware:*:*:*:*:*:*:*:*range: <3.30
  • cpe:2.3:o:honeywell:iq4e_firmware:*:*:*:*:*:*:*:*
    Range: <3.30
  • Honeywell/IQ4xllm-fuzzy
  • Honeywell/IQ3v5
    Range: v3.50_3.44
  • Honeywell/IQ412v5
    Range: v3.50_3.44
  • Honeywell/IQ41xv5
    Range: v3.50_3.44
  • Honeywell/IQ422v5
    Range: v3.50_3.44
  • Honeywell/IQ4Ev5
    Range: v3.50_3.44
  • Honeywell/IQ4NCv5
    Range: v3.50_3.44
  • Honeywell/IQECOv5
    Range: v3.50_3.44

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.