Honeywell BMS Controllers Ship With No Authentication by Design

A maximum-severity vulnerability in Honeywell's IQ4x building management controllers leaves critical infrastructure exposed to remote takeover by design. In the factory-default configuration, anyone who can reach the web interface can create an administrative account and take complete control.

CISA published an ICS advisory for CVE-2026-3611, assigning it a CVSS score of 10.0 - the maximum possible rating. The flaw affects IQ4x controllers used to manage HVAC, lighting, and other building automation functions across commercial, healthcare, government, and industrial facilities.

Security Disabled by Design

The vulnerability stems from an architectural choice in the IQ4x firmware. With no user module configured - which is the out-of-box state - security controls are completely disabled. The system operates under a "System Guest" context with read/write privileges available to anyone who can access the HTTP interface.

Authentication controls only activate after a web user is created through the controller's U.htm configuration page. But here's the critical flaw: that configuration page is itself accessible without authentication. A remote attacker can simply create a new administrative account before any legitimate user sets up security, effectively locking out the actual operators.

The vulnerability was discovered by Gjoko Krstic of Zero Science and disclosed to Honeywell, who released firmware version 4.9.0 to address the issue.

Affected Controllers

The vulnerability affects multiple IQ4 family models running vulnerable firmware versions:

• IQ4E
• IQ412
• IQ422
• IQ4NC
• IQ41x
• IQ3
• IQECO

Affected firmware versions include >= v3.50_3.44 and < 4.36_build_4.3.7.9. Organizations should verify their specific model numbers and firmware versions against Honeywell's advisory.

What Can Attackers Do?

Successful exploitation provides complete control over building management functions. Attackers could:

• Modify HVAC settings to create uncomfortable or dangerous conditions
• Disable lighting controls
• Access sensitive building configuration data
• Lock out legitimate administrators
• Create persistent backdoor accounts
• Potentially pivot to other connected building systems

For healthcare facilities or data centers where environmental controls directly impact operations, the consequences extend beyond inconvenience into safety and business continuity territory.

Internet Exposure Concerns

Building management systems are frequently exposed to the internet for remote administration, and IQ4x controllers are no exception. While the advisory recommends keeping these systems off public networks, the reality is that many deployments prioritize convenience over security.

This follows a concerning pattern in industrial control system vulnerabilities where default configurations assume a trusted network environment that rarely exists in practice.

Security researchers regularly find building automation systems accessible via Shodan and similar services. The combination of internet exposure and missing authentication creates exactly the conditions attackers look for.

Mitigation Steps

Organizations running affected IQ4x controllers should:

1. Update firmware immediately - Version 4.9.0 addresses the authentication flaw
2. Audit existing accounts - Check for any unauthorized administrative accounts that may have been created
3. Isolate from internet - If not already segmented, remove BMS controllers from internet-accessible networks
4. Implement network monitoring - Watch for unusual access patterns to controller web interfaces
5. Use VPN for remote access - If remote management is required, route through authenticated VPN connections

CISA's advisory emphasizes minimizing network exposure and placing control systems behind firewalls, isolated from business networks.

Why This Matters

Building management systems represent a growing attack surface that security teams often overlook. They're frequently managed by facilities teams rather than IT security, leading to blind spots in vulnerability management programs.

The IQ4x flaw demonstrates how design decisions made years ago can create lasting security debt. Shipping devices with security disabled by default and requiring manual activation inverts the principle of secure-by-default that modern device manufacturers should follow.

For organizations managing significant building portfolios, this disclosure should prompt a broader audit of BMS security postures. If Honeywell shipped controllers this way, what assumptions are baked into other vendors' products?

Understanding the broader landscape of critical infrastructure threats helps contextualize why building systems deserve the same security attention as traditional IT assets.