Honeywell IQ4x Building Management Controller Missing Authentication Vulnerability

A vulnerability exists in the Honeywell IQ4x building management controller, where the web-based human-machine interface (HMI) is accessible without authentication in the default factory configuration. This vulnerability affects several controller models, including IQ4E, IQ412, IQ422, IQ4NC, IQ41x, IQ3, and IQECO, all running firmware versions 3.50.3.44 prior to 4.36_build_4.3.7.9. In this unprotected state, the system operates under a System Guest context, allowing read/write access to anyone who can reach the HTTP interface. Authentication is only required after a web user is created, which can be done through an unprotected URL. This exploitation enables the creation of an admin account, potentially locking out legitimate users from the system.

Impact

Exploitation allows unauthorized access to controller management settings and components, with the potential to disrupt service or cause a denial-of-service condition.

Remediation

Honeywell is aware of the issue but has not released a fix. For more information, contact Honeywell directly.