The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.
In the factory configuration, the user module is not activated, and the system operates in the context of a System Guest account (level 100) with read and write permissions for each HTTP client. Authentication control is only enabled after the first web user is created through the U.htm page, which dynamically activates the user module. Since the U.htm page is accessible before authentication, a remote attacker can create a new administrative account with read and write privileges without any credentials, thereby activating the authentication module under their controlled credentials. As a result, legitimate operators lose access to both local and web configuration of the device.
An attacker can remotely and without authentication gain full administrative privileges to the building controller, modify its configuration, and permanently block access to legitimate operators by taking over the authentication mechanism.
The web user account must be configured immediately through the U.htm page to activate the authentication module and enforce access control. The device should not be exposed to publicly accessible networks without prior authentication configuration. Patches available from the manufacturer should be applied according to references (ICSA-26-069-03) and CISA recommendations should be reviewed at https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03
Honeywell IQ4x building management controller in factory configuration (without configured user module); specific versions indicated in manufacturer references (ICSA-26-069-03)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XHoneywell Iq412
HWHoneywellwszystkie wersjeHoneywell Iq412 Firmware
OSHoneywell< 3.30Honeywell Iq41x
HWHoneywellwszystkie wersjeHoneywell Iq41x Firmware
OSHoneywell< 3.30Honeywell Iq422
HWHoneywellwszystkie wersjeHoneywell Iq422 Firmware
OSHoneywell< 3.30Honeywell Iq4e
HWHoneywellwszystkie wersjeHoneywell Iq4e Firmware
OSHoneywell< 3.30Honeywell Iq4nc
HWHoneywellwszystkie wersjeHoneywell Iq4nc Firmware
OSHoneywell< 3.30
Related vulnerabilities
OS Command Injection w Honeywell MB-Secure i MB-Secure PRO (privilege abuse)
Uwierzytelniony RCE w LenelS2 NetBox (wersje do 5.6.1 włącznie)
Nieuwierzytelniony RCE w Honeywell LenelS2 NetBox (command injection)
Nieautoryzowana modyfikacja plików w Honeywell ControlEdge UOC i VirtualUOC
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Com...