CVE-2026-3611Honeywell · Iq4e_firmware
Vulnerability data via NVD (ingested)
The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-3611os:"Iq4e Firmware"More intel sources (5)
vuln:CVE-2026-3611vulnerabilities.cve_id: CVE-2026-3611CVE-2026-3611CVE-2026-3611"CVE-2026-3611" exploit -site:nvd.nist.gov