The Honeywell IQ4E building management controller suffers from a critical authentication bypass vulnerability identified as CVE-2026-3611 (CWE-306). In its factory-default configuration, the device exposes its full web-based Human Machine Interface (HMI) without requiring any authentication. The system operates under a System Guest (level 100) context, which grants read/write privileges to anyone able to access the HTTP interface. Authentication controls are only activated after a web user is created via the U.htm page, which dynamically enables the user module. However, since this user creation function is accessible without authentication, a remote attacker can create a new administrative account with full read/write permissions. This action enables the user module and imposes authentication under attacker-controlled credentials, effectively locking out legitimate users from both local and web-based administration. The vulnerability affects Honeywell IQ4E versions v3.50_3.44 and is rated critical with a CVSS 4.0 score of 10.0, indicating network exploitable, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the design flaw presents a severe risk to building management systems that rely on this controller for operational control and security.

This vulnerability allows an unauthenticated remote attacker to gain full administrative control over the Honeywell IQ4E building management controller. The attacker can read and modify system configurations, potentially disrupting building operations such as HVAC, lighting, and security systems. The ability to lock out legitimate operators can lead to denial of service and loss of control over critical infrastructure. Compromise of these controllers could also facilitate lateral movement within an organization's network, exposing other systems to risk. Given the critical role of building management systems in facility safety and energy management, exploitation could result in operational downtime, safety hazards, and significant financial and reputational damage. The lack of authentication by default increases the attack surface, especially in environments where network segmentation or firewall protections are insufficient.

Organizations should immediately verify if their Honeywell IQ4E controllers are running affected versions (v3.50_3.44) and assess exposure of the HTTP interface to untrusted networks. Network segmentation and firewall rules should be implemented to restrict access to the controller's web interface to trusted administrators only. If possible, disable or isolate devices in factory-default configurations until proper user modules and authentication are configured. Honeywell should be contacted for official patches or firmware updates addressing this vulnerability; until then, manual configuration of user accounts should be performed in a secure environment. Monitoring network traffic for unauthorized access attempts to the U.htm page can help detect exploitation attempts. Additionally, organizations should implement multi-factor authentication and strong password policies once user modules are enabled. Incident response plans should include procedures for recovery if unauthorized administrative accounts are created.