4.36.1
CVE-2026-3611 describes a critical authentication bypass vulnerability in the Honeywell IQ4x Building Management System (BMS) Controller. This flaw allows attackers to gain unauthorized read/write access to the system's web-based Human-Machine Interface (HMI) without authentication. The vulnerability impacts versions 3.50 through 4.36 (build 4.3.7.9) and is due to the system's default configuration, which disables authentication controls until a user module is created.
The impact of this vulnerability is severe. An attacker who can reach the IQ4x controller's HTTP interface can create a new administrative account, effectively gaining full control over the building management system. This control extends to reading and modifying system configurations, potentially disrupting building operations, manipulating sensor data, and even gaining access to sensitive building information. Given the critical role BMS controllers play in building automation, successful exploitation could lead to significant operational and safety consequences. The lack of authentication by default significantly broadens the attack surface, making the system vulnerable to both internal and external threats.
This vulnerability was publicly disclosed on March 12, 2026. While no public proof-of-concept (PoC) has been released, the ease of exploitation due to the default configuration raises concerns about potential exploitation. The vulnerability is not currently listed on CISA KEV, but its criticality warrants close monitoring. The lack of authentication controls mirrors vulnerabilities seen in other industrial control systems, highlighting the importance of secure default configurations.
Organizations that rely on Honeywell IQ4x BMS Controllers for building automation are at risk, particularly those with default configurations or those lacking network segmentation. Shared hosting environments where multiple customers share the same network infrastructure are also at increased risk, as a compromise of one customer could potentially lead to access to the IQ4x controller.
• windows / supply-chain: Monitor network traffic for connections to the IQ4x controller's HTTP interface on port 80 or 443.
• linux / server: Use ss or netstat to identify connections to the controller's IP address.
ss -t http -l• generic web: Use curl to attempt access to the HMI without authentication.
curl http://<IQ4x_IP_Address>• database (mysql, redis, mongodb, postgresql): N/A - this vulnerability does not directly affect databases. • other: Review firewall logs for unauthorized access attempts to the IQ4x controller.
disclosure
エクスプロイト状況
EPSS
0.21% (44% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade the Honeywell IQ4x BMS Controller to a patched version as soon as it becomes available. Until a patch is applied, several workarounds can be implemented. First, segment the network to restrict access to the IQ4x controller from untrusted networks. Second, configure a firewall to block external access to the controller's HTTP interface. Third, review and harden the system's configuration, ensuring that authentication is enabled and strong passwords are used. Consider implementing multi-factor authentication if supported by the controller. After implementing these mitigations, verify the configuration by attempting to access the HMI without authentication and confirming that access is denied.
Honeywell IQ4x BMSコントローラーをデフォルトで認証を必要とするバージョンにアップデートしてください。U.htm経由でWebユーザーを構成して、ユーザーモジュールを有効にし、認証を強制してください。不正アクセスを防ぐために、安全な資格情報を設定してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3611 is a critical vulnerability in the Honeywell IQ4x BMS Controller that allows attackers to bypass authentication and gain unauthorized access to the system's web-based interface.
If you are using a Honeywell IQ4x BMS Controller version between 3.50 and 4.36 (build 4.3.7.9) and have not configured authentication, you are likely affected by this vulnerability.
The recommended fix is to upgrade to a patched version of the Honeywell IQ4x BMS Controller. Until a patch is available, implement network segmentation and firewall rules to restrict access.
While no active exploitation has been confirmed, the ease of exploitation due to the default configuration raises concerns about potential exploitation.
Please refer to the Honeywell security advisory for CVE-2026-3611 on the Honeywell website (link to advisory would be here if available).
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。