The Default Danger: Maximum 10.0 CVSS Vulnerability Leaves Honeywell IQ4x Controllers Wide Open
Ddos 
A critical security flaw has been uncovered in the Honeywell IQ4x Building Management System (BMS) Controller family, exposing industrial and commercial facilities to potential remote exploitation. The vulnerability, tracked as CVE-2026-3611, carries a maximum CVSS score of 10.0, signaling the highest possible level of risk.
According to the security advisory, “Successful exploitation of this vulnerability could allow an unauthorized attacker to access controller management settings, control components, disclose information, or cause a denial-of-service condition”.
The root of the issue lies in the device’s initial setup. Researchers found that the controller “exposes its full web-based HMI without authentication in its factory-default configuration”.
This means that if a building administrator fails to configure a user module upon installation, the management interface remains wide open. In such a scenario, any individual with network access to the controller can manipulate critical building functions—from climate control to security settings—without ever needing a password.
The vulnerability impacts a broad range of Honeywell’s IQ4x line, specifically those running firmware versions between v3.50_3.44 and v4.36_build_4.3.7.9. The list of affected hardware includes:
- IQ4E
- IQ412
- IQ422
- IQ4NC
- IQ41x
- IQ3
- IQECO
To protect these systems, administrators must move beyond default settings. The primary defense against this flaw is the immediate configuration of robust authentication and user modules to lock down the web-based Human Machine Interface (HMI).
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
