Platform
other
Component
csaf
Fixed in
4.36.1
CVE-2026-3611 describes a critical authentication bypass vulnerability in the Honeywell IQ4x Building Management System (BMS) Controller. This flaw allows attackers to gain unauthorized read/write access to the system's web-based Human-Machine Interface (HMI) without authentication. The vulnerability impacts versions 3.50 through 4.36 (build 4.3.7.9) and is due to the system's default configuration, which disables authentication controls until a user module is created.
The impact of this vulnerability is severe. An attacker who can reach the IQ4x controller's HTTP interface can create a new administrative account, effectively gaining full control over the building management system. This control extends to reading and modifying system configurations, potentially disrupting building operations, manipulating sensor data, and even gaining access to sensitive building information. Given the critical role BMS controllers play in building automation, successful exploitation could lead to significant operational and safety consequences. The lack of authentication by default significantly broadens the attack surface, making the system vulnerable to both internal and external threats.
This vulnerability was publicly disclosed on March 12, 2026. While no public proof-of-concept (PoC) has been released, the ease of exploitation due to the default configuration raises concerns about potential exploitation. The vulnerability is not currently listed on CISA KEV, but its criticality warrants close monitoring. The lack of authentication controls mirrors vulnerabilities seen in other industrial control systems, highlighting the importance of secure default configurations.
Exploit Status
EPSS
0.21% (44% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Honeywell IQ4x BMS Controller to a patched version as soon as it becomes available. Until a patch is applied, several workarounds can be implemented. First, segment the network to restrict access to the IQ4x controller from untrusted networks. Second, configure a firewall to block external access to the controller's HTTP interface. Third, review and harden the system's configuration, ensuring that authentication is enabled and strong passwords are used. Consider implementing multi-factor authentication if supported by the controller. After implementing these mitigations, verify the configuration by attempting to access the HMI without authentication and confirming that access is denied.
Actualice el controlador Honeywell IQ4x BMS a una versión que requiera autenticación por defecto. Configure un usuario web a través de U.htm para habilitar el módulo de usuario y forzar la autenticación. Asegúrese de establecer credenciales seguras para evitar el acceso no autorizado.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3611 is a critical vulnerability in the Honeywell IQ4x BMS Controller that allows attackers to bypass authentication and gain unauthorized access to the system's web-based interface.
If you are using a Honeywell IQ4x BMS Controller version between 3.50 and 4.36 (build 4.3.7.9) and have not configured authentication, you are likely affected by this vulnerability.
The recommended fix is to upgrade to a patched version of the Honeywell IQ4x BMS Controller. Until a patch is available, implement network segmentation and firewall rules to restrict access.
While no active exploitation has been confirmed, the ease of exploitation due to the default configuration raises concerns about potential exploitation.
Please refer to the Honeywell security advisory for CVE-2026-3611 on the Honeywell website (link to advisory would be here if available).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.