CVE-2026-3611 (GCVE-0-2026-3611)

Vulnerability from cvelistv5 – Published: 2026-03-12 20:06 – Updated: 2026-03-13 18:03
VLAI?
Title
Honeywell IQ4x BMS Controller Missing authentication for critical function
Summary
The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.
Severity ?
10 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-306 - Missing authentication for critical function
Assigner
References
Impacted products
Vendor Product Version
Honeywell IQ4E Affected: v3.50_3.44 , ≤ 4.36 (build 4.3.7.9) (custom)
Create a notification for this product.
    Honeywell IQ412 Affected: v3.50_3.44 , ≤ 4.36 (build 4.3.7.9) (custom)
Create a notification for this product.
    Honeywell IQ422 Affected: v3.50_3.44 , ≤ 4.36 (build 4.3.7.9) (custom)
Create a notification for this product.
    Honeywell IQ4NC Affected: v3.50_3.44 , ≤ 4.36 (build 4.3.7.9) (custom)
Create a notification for this product.
    Honeywell IQ41x Affected: v3.50_3.44 , ≤ 4.36 (build 4.3.7.9) (custom)
Create a notification for this product.
    Honeywell IQ3 Affected: v3.50_3.44 , ≤ 4.36 (build 4.3.7.9) (custom)
Create a notification for this product.
    Honeywell IQECO Affected: v3.50_3.44 , ≤ 4.36 (build 4.3.7.9) (custom)
Create a notification for this product.
Date Public ?
2026-03-10 17:00
Credits
Gjoko Krstic of Zero Science reported this vulnerability to Honeywell.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3611",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-13T18:02:46.954644Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-13T18:03:02.081Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "IQ4E",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "4.36 (build 4.3.7.9)",
              "status": "affected",
              "version": "v3.50_3.44",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "IQ412",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "4.36 (build 4.3.7.9)",
              "status": "affected",
              "version": "v3.50_3.44",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "IQ422",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "4.36 (build 4.3.7.9)",
              "status": "affected",
              "version": "v3.50_3.44",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "IQ4NC",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "4.36 (build 4.3.7.9)",
              "status": "affected",
              "version": "v3.50_3.44",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "IQ41x",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "4.36 (build 4.3.7.9)",
              "status": "affected",
              "version": "v3.50_3.44",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "IQ3",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "4.36 (build 4.3.7.9)",
              "status": "affected",
              "version": "v3.50_3.44",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "IQECO",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "4.36 (build 4.3.7.9)",
              "status": "affected",
              "version": "v3.50_3.44",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gjoko Krstic of Zero Science reported this vulnerability to Honeywell."
        }
      ],
      "datePublic": "2026-03-10T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration."
            }
          ],
          "value": "The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing authentication for critical function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T20:06:05.753Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-069-03.json"
        },
        {
          "url": "https://www.honeywell.com/us/en/contact"
        }
      ],
      "source": {
        "advisory": "ICSA-26-069-03",
        "discovery": "EXTERNAL"
      },
      "title": "Honeywell IQ4x BMS Controller Missing authentication for critical function",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Honeywell is aware of the issue, but has not released a fix. For more \ninformation, contact Honeywell directly. \n[https://www.honeywell.com/us/en/contact](https://www.honeywell.com/us/en/contact)."
            }
          ],
          "value": "Honeywell is aware of the issue, but has not released a fix. For more \ninformation, contact Honeywell directly. \n[https://www.honeywell.com/us/en/contact](https://www.honeywell.com/us/en/contact)."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-3611",
    "datePublished": "2026-03-12T20:06:05.753Z",
    "dateReserved": "2026-03-05T18:12:38.425Z",
    "dateUpdated": "2026-03-13T18:03:02.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-3611\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2026-03-12T21:16:27.693\",\"lastModified\":\"2026-03-13T20:06:54.667\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.\"},{\"lang\":\"es\",\"value\":\"El controlador de gesti\u00f3n de edificios Honeywell IQ4x expone su HMI completo basado en web sin autenticaci\u00f3n en su configuraci\u00f3n predeterminada de f\u00e1brica. Al no tener ning\u00fan m\u00f3dulo de usuario configurado, la seguridad est\u00e1 deshabilitada por dise\u00f1o y el sistema opera bajo un contexto de Invitado del Sistema (nivel 100), otorgando privilegios de lectura/escritura a cualquier parte capaz de alcanzar la interfaz HTTP. Los controles de autenticaci\u00f3n solo se aplican despu\u00e9s de que se crea un usuario web a trav\u00e9s de U.htm, lo que habilita din\u00e1micamente el m\u00f3dulo de usuario. Debido a que esta funci\u00f3n es accesible antes de la autenticaci\u00f3n, un usuario remoto puede crear una nueva cuenta con permisos administrativos de lectura/escritura, habilitando el m\u00f3dulo de usuario e imponiendo la autenticaci\u00f3n bajo credenciales controladas por el atacante. Esta acci\u00f3n puede bloquear eficazmente a los operadores leg\u00edtimos de la configuraci\u00f3n y administraci\u00f3n local y basada en web.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"references\":[{\"url\":\"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-069-03.json\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.honeywell.com/us/en/contact\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3611\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T18:02:46.954644Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T18:02:56.756Z\"}}], \"cna\": {\"title\": \"Honeywell IQ4x BMS Controller Missing authentication for critical function\", \"source\": {\"advisory\": \"ICSA-26-069-03\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Gjoko Krstic of Zero Science reported this vulnerability to Honeywell.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 10, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Honeywell\", \"product\": \"IQ4E\", \"versions\": [{\"status\": \"affected\", \"version\": \"v3.50_3.44\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.36 (build 4.3.7.9)\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Honeywell\", \"product\": \"IQ412\", \"versions\": [{\"status\": \"affected\", \"version\": \"v3.50_3.44\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.36 (build 4.3.7.9)\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Honeywell\", \"product\": \"IQ422\", \"versions\": [{\"status\": \"affected\", \"version\": \"v3.50_3.44\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.36 (build 4.3.7.9)\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Honeywell\", \"product\": \"IQ4NC\", \"versions\": [{\"status\": \"affected\", \"version\": \"v3.50_3.44\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.36 (build 4.3.7.9)\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Honeywell\", \"product\": \"IQ41x\", \"versions\": [{\"status\": \"affected\", \"version\": \"v3.50_3.44\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.36 (build 4.3.7.9)\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Honeywell\", \"product\": \"IQ3\", \"versions\": [{\"status\": \"affected\", \"version\": \"v3.50_3.44\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.36 (build 4.3.7.9)\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Honeywell\", \"product\": \"IQECO\", \"versions\": [{\"status\": \"affected\", \"version\": \"v3.50_3.44\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.36 (build 4.3.7.9)\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-03-10T17:00:00.000Z\", \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-069-03.json\"}, {\"url\": \"https://www.honeywell.com/us/en/contact\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Honeywell is aware of the issue, but has not released a fix. For more \\ninformation, contact Honeywell directly. \\n[https://www.honeywell.com/us/en/contact](https://www.honeywell.com/us/en/contact).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Honeywell is aware of the issue, but has not released a fix. For more \\ninformation, contact Honeywell directly. \\n[https://www.honeywell.com/us/en/contact](https://www.honeywell.com/us/en/contact).\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing authentication for critical function\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2026-03-12T20:06:05.753Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-3611\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-13T18:03:02.081Z\", \"dateReserved\": \"2026-03-05T18:12:38.425Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2026-03-12T20:06:05.753Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.