CVE-2026-3611 is a critical security vulnerability identified in the Honeywell IQ4x building management controller, specifically affecting versions v3.50_3.44. The root cause is a missing authentication mechanism for critical web-based Human Machine Interface (HMI) functions in the device's factory-default configuration. By default, the device disables security by design, operating under a System Guest (level 100) context that grants read/write privileges to any remote user able to access the HTTP interface. Authentication controls are only activated after a web user is created via the U.htm interface, which dynamically enables the user module. However, this user creation function is accessible without authentication, allowing a remote attacker to create a new administrative account with full read/write permissions. This enables the attacker to impose authentication under their control, effectively locking out legitimate operators from both local and web-based configuration and administration. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a CVSS 4.0 base score of 10.0, indicating critical severity. The attack vector is network-based with no privileges or user interaction required, and the impact spans confidentiality, integrity, and availability with high scope and security requirements. Although no known exploits are reported in the wild, the vulnerability poses a significant risk to building management systems that rely on these controllers for operational control and safety.

The impact of CVE-2026-3611 on organizations worldwide is severe. Exploitation allows an unauthenticated remote attacker to gain full administrative control over Honeywell IQ4x building management controllers, which are critical components in managing HVAC, lighting, and other building automation systems. Unauthorized control can lead to manipulation or disruption of building operations, potentially causing physical damage, safety hazards, or operational downtime. The attacker can lock out legitimate administrators, preventing remediation or recovery without physical intervention. This could affect critical infrastructure facilities, commercial buildings, hospitals, and data centers relying on these controllers. The confidentiality of operational data is compromised, integrity of system configurations is lost, and availability of building management functions can be disrupted. Given the criticality of building management systems in maintaining environmental controls and safety, this vulnerability could have cascading effects on occupant safety, energy management, and business continuity.

To mitigate CVE-2026-3611, organizations should immediately implement the following specific actions: 1) Change the factory-default configuration by creating a web user account via the U.htm interface as soon as the device is deployed to enable authentication controls. 2) Restrict network access to the IQ4x controller’s HTTP interface by implementing network segmentation and firewall rules to limit access only to trusted management networks and personnel. 3) Disable or block access to the U.htm user creation page from untrusted networks to prevent unauthorized user creation. 4) Monitor network traffic and device logs for unauthorized access attempts or unexpected user creation events. 5) Apply any available vendor patches or firmware updates as soon as they are released, even though no patches are currently listed. 6) Consider deploying additional intrusion detection systems (IDS) to detect anomalous activity targeting building management controllers. 7) Establish physical security controls to prevent unauthorized local access to the devices. 8) Develop and test incident response plans specifically addressing building management system compromises to ensure rapid recovery and restoration of legitimate access.