CVE-2026-3611

CRITICAL

Honeywell IQ4x 3.50_3.44-4.36 (build 4.3.7.9) - Unauthenticated Account Creation and Privilege Escalation via U.htm

Title source: llm
STIX 2.1

Description

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.

References (3)

Core 3

Scores

CVSS v3 10.0
EPSS 0.0558
EPSS Percentile 91.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-306
Status published
Products (12)
Honeywell/IQ3 v3.50_3.44 - 4.36 (build 4.3.7.9)
Honeywell/IQ412 v3.50_3.44 - 4.36 (build 4.3.7.9)
honeywell/iq412_firmware < 3.30
Honeywell/IQ41x v3.50_3.44 - 4.36 (build 4.3.7.9)
honeywell/iq41x_firmware < 3.30
Honeywell/IQ422 v3.50_3.44 - 4.36 (build 4.3.7.9)
honeywell/iq422_firmware < 3.30
Honeywell/IQ4E v3.50_3.44 - 4.36 (build 4.3.7.9)
honeywell/iq4e_firmware < 3.30
Honeywell/IQ4NC v3.50_3.44 - 4.36 (build 4.3.7.9)
... and 2 more
Published Mar 12, 2026
Tracked Since Mar 13, 2026