Honeywell IQ4x BMS Controller
Act Now10ICS-CERT ICSA-26-069-03Mar 10, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An authentication bypass vulnerability (CWE-306) in Honeywell IQ4x BMS controllers allows an unauthenticated attacker to gain unauthorized access to the controller management interface. Successful exploitation could allow an attacker to access controller management settings, modify control setpoints and commands, disclose sensitive configuration information, or cause a denial-of-service condition. The vulnerability affects firmware versions 3.50 through 4.36 build 4.3.7.8 across multiple IQ4x models. Honeywell has not released a fix and has not indicated a timeline for remediation.
What this means
What could happen
An attacker with network access to an IQ4x BMS controller could bypass authentication, access management settings, modify control parameters, steal sensitive configuration data, or disable the device—potentially disrupting HVAC, building automation, or process control in healthcare facilities and manufacturing plants.
Who's at risk
Healthcare facilities and manufacturing plants using Honeywell IQ4 series BMS (Building Management System) controllers for HVAC, chiller, or process control automation. This includes IQ4E, IQ412, IQ422, IQ4NC, IQ41x, IQ3, and IQECO models. Anyone managing or relying on centralized building or process control is at risk.
How it could be exploited
An attacker on the same network or with routing to the controller sends a specially crafted request that bypasses the authentication mechanism (CWE-306). No credentials are required. Once authenticated is bypassed, the attacker gains full management access to read or modify controller settings and commands.
Prerequisites
- Network reachability to the IQ4x BMS controller (usually TCP port 502 or web management port)
- The controller must be running vulnerable firmware version 3.50 through 4.36 build 4.3.7.8
- No prior credentials required for exploitation
Remotely exploitable over networkNo authentication required for exploitationLow attack complexityNo patch available from vendorCritical CVSS score (10.0)Affects building automation and process controlAffects healthcare sector
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (7)
7 EOL
ProductAffected VersionsFix Status
IQ422: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)
IQ4E: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)
IQ412: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)
IQ4NC: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)
IQ41x: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)
IQ3: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)
IQECO: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGIsolate all IQ4x BMS controllers from the internet and business network segments using firewalls and network segmentation. Only allow trusted engineering workstations and building management systems to communicate with the controllers.
WORKAROUNDImplement network access controls (firewall rules, ACLs) to restrict who can reach the BMS controller management interface. Block all inbound connections from untrusted sources.
HARDENINGReview building management system logs and network traffic for signs of unauthorized access attempts to the IQ4x controllers.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXMonitor the Honeywell security website and contact Honeywell directly to determine if a future firmware patch becomes available. Prepare a firmware update plan and maintenance window once a vendor fix is released.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: IQ422: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ4E: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ412: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ4NC: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ41x: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ3: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQECO: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9. Apply the following compensating controls:
HARDENINGIf remote access to the BMS controller is required, implement a VPN with current patches and monitor VPN access logs for suspicious activity.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e2cd9ebd-63e7-4b16-b983-83b4ead52763