Which Honeywell IQ4x models are affected by this vulnerability?

The affected models include IQ4E, IQ412, IQ422, IQ4NC, IQ41x, IQ3, and IQECO, with firmware versions from v3.50_3.44 to v4.36_build_4.3.7.9.

What immediate actions should organizations take to mitigate this vulnerability?

Organizations should create web user accounts to enforce authentication, isolate BMS controllers on dedicated networks, disable unnecessary remote access, and monitor for unauthorized activities.

Critical Unauthenticated Access Vulnerability in Honeywell IQ4x BMS Controllers (2026)

Q: What is CVE-2026-3611?

CVE-2026-3611 is a critical vulnerability in Honeywell IQ4x BMS controllers that allows unauthenticated access to the web-based HMI, enabling attackers to create administrative accounts and control building management systems.

A newly discovered vulnerability in Honeywell's IQ4x BMS controllers exposes critical infrastructure to potential unauthorized access and control.

Published: March 11, 2026

Share this on:

Executive Summary

In March 2026, a critical vulnerability (CVE-2026-3611) was identified in Honeywell's IQ4x Building Management System (BMS) controllers. The flaw allows unauthenticated access to the web-based Human-Machine Interface (HMI) in factory-default configurations, enabling remote attackers to create administrative accounts, manipulate building controls, and potentially lock out legitimate operators. This vulnerability affects multiple models, including IQ4E, IQ412, IQ422, IQ4NC, IQ41x, IQ3, and IQECO, across firmware versions from v3.50_3.44 to v4.36_build_4.3.7.9. (community.itbible.org)

The discovery underscores the critical need for secure default configurations in industrial control systems. With thousands of these controllers potentially exposed online, the risk of unauthorized access to critical infrastructure is heightened, emphasizing the importance of immediate remediation and robust security practices in operational technology environments. (cybersecuritynews.com)

Why This Matters Now

The widespread deployment of vulnerable Honeywell IQ4x controllers in critical infrastructure sectors poses an immediate risk of unauthorized access and control. Organizations must urgently implement mitigations to prevent potential exploitation and ensure the security of their building management systems.

Attack Path Analysis

An attacker remotely accessed the Honeywell IQ4x BMS controller's web-based HMI due to its default unauthenticated configuration. They created an administrative account via the U.htm endpoint, escalating privileges. The attacker then moved laterally to other connected systems within the building's network. They established a command and control channel to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. Finally, the attacker caused operational disruptions by altering building management settings.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The attacker remotely accessed the Honeywell IQ4x BMS controller's web-based HMI due to its default unauthenticated configuration.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-3611
CVSS 10
The Honeywell IQ4x building management controller exposes its full web-based HMI without authentication in its factory-default configuration, allowing unauthorized access to controller management settings, control components, information disclosure, or denial-of-service conditions.
Affected Products:
Honeywell IQ4E – >=Firmware_v3.50_3.44, <4.36_build_4.3.7.9
Honeywell IQ412 – >=Firmware_v3.50_3.44, <4.36_build_4.3.7.9
Honeywell IQ422 – >=Firmware_v3.50_3.44, <4.36_build_4.3.7.9
Honeywell IQ4NC – >=Firmware_v3.50_3.44, <4.36_build_4.3.7.9
Honeywell IQ41x – >=Firmware_v3.50_3.44, <4.36_build_4.3.7.9
Honeywell IQ3 – >=Firmware_v3.50_3.44, <4.36_build_4.3.7.9
Honeywell IQECO – >=Firmware_v3.50_3.44, <4.36_build_4.3.7.9
Exploit Status:
no public exploit
References:
https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Initial Access

T1078.001

Default Accounts

Initial Access

T1078.003

Local Accounts

Initial Access

T1078.004

Cloud Accounts

Initial Access

T1190

Exploit Public-Facing Application

Impact

T1499

Endpoint Denial of Service

Impact

T1499.001

OS Exhaustion Flood

Impact

T1499.002

Service Exhaustion Flood

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Define Access Control Policies

Control ID: 7.1.1

The absence of authentication mechanisms in the default configuration violates the requirement to define and implement access control policies that restrict access to system components and cardholder data.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The vulnerability indicates a lack of a comprehensive cybersecurity policy that addresses access controls and authentication mechanisms, as required by the regulation.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exposure of critical functions without authentication suggests deficiencies in the ICT risk management framework, which should include measures to prevent unauthorized access.

CISA ZTMM 2.0 – Identity

Control ID: Pillar 1

The default configuration allowing unauthenticated access contradicts the Zero Trust principle of strict identity verification before granting access to resources.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The lack of authentication controls in critical infrastructure components indicates non-compliance with the directive's requirement for appropriate cybersecurity risk management measures.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Health Care / Life Sciences

Critical infrastructure vulnerability in Honeywell BMS controllers threatens patient safety through unauthorized access to HVAC systems, violating HIPAA compliance requirements.

Government Administration

Missing authentication in building management systems exposes government facilities to complete operational control takeover, compromising security and critical facility operations.

Commercial Real Estate

CVSS 10 vulnerability allows attackers to hijack building management controllers, enabling unauthorized control of heating, cooling, and security systems across properties.

Higher Education/Acadamia

Unauthenticated web interfaces in campus building systems create denial-of-service risks and operational disruption potential across educational facility management infrastructure.

Sources

Honeywell IQ4x BMS Controllerhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03
Verified

Honeywell IQ4x BMS Controller Product Pagehttps://buildings.honeywell.com/us/en/products/by-category/control-panels/building-controls/plant-and-integration-controllers/iq4nc-controller

Verified

Honeywell's Statement on Java Apache Log4j Logging Framework Vulnerabilityhttps://www.honeywell.com/us/en/press/2021/12/honeywells-statement-on-java-apache-log4j-logging-framework-vulnerability

Verified

Frequently Asked Questions

CVE-2026-3611 is a critical vulnerability in Honeywell IQ4x BMS controllers that allows unauthenticated access to the web-based HMI, enabling attackers to create administrative accounts and control building management systems.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Implementing Aviatrix Zero Trust CNSF could have significantly limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data within the building's network.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit default unauthenticated configurations would likely be constrained, reducing the risk of unauthorized remote access.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges through unauthorized account creation would likely be constrained, reducing the risk of administrative control acquisition.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally across the network would likely be constrained, reducing the risk of widespread system compromise.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, reducing the risk of persistent unauthorized access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data breaches.

Impact (Mitigations)

The attacker's ability to alter building management settings would likely be constrained, reducing the risk of operational disruptions.

Impact at a Glance

Affected Business Functions

Building Management System Operations
Facility Security Controls
Energy Management
HVAC Control

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential unauthorized access to building management settings and control components.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal network communications.
• Utilize Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
• Establish Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Unauthenticated Access Vulnerability in Honeywell IQ4x BMS Controllers (2026)

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-3611

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Valid Accounts

Default Accounts

Local Accounts

Cloud Accounts

Exploit Public-Facing Application

Endpoint Denial of Service

OS Exhaustion Flood

Service Exhaustion Flood

Potential Compliance Exposure

PCI DSS 4.0 – Define Access Control Policies

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Health Care / Life Sciences

Government Administration

Commercial Real Estate

Higher Education/Acadamia

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads