Honeywell IQ4x BMS Controller

Plan PatchCVSS 10ICS-CERT ICSA-26-069-03Mar 10, 2026

HoneywellHealthcareManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A missing authentication vulnerability in Honeywell IQ series BMS controllers allows unauthorized attackers to access controller management settings, modify control parameters, disclose sensitive information, or cause denial of service without providing credentials. The vulnerability affects all IQ422, IQ4E, IQ412, IQ4NC, IQ41x, IQ3, and IQECO models running firmware versions from 3.50 up to (but not including) 4.36 build 4.3.7.9. Honeywell has not released a patch and currently does not plan to fix this issue. The only available protections are network isolation and access controls.

What this means

What could happen

An attacker with network access to a vulnerable Honeywell IQ BMS controller could modify building management settings, disable HVAC or lighting controls, or shut down the controller entirely, disrupting facility operations and comfort systems in hospitals or manufacturing plants.

Who's at risk

Healthcare facilities (hospitals, clinics) and manufacturing plants that rely on Honeywell IQ series BMS (building management system) controllers for HVAC, lighting, and environmental controls should be concerned. Any organization operating an IQ422, IQ4E, IQ412, IQ4NC, IQ41x, IQ3, or IQECO controller with firmware versions 3.50 through 4.36 build 4.3.7.8 is at risk.

How it could be exploited

An attacker on the network (or from the internet if the controller is exposed) sends a specially crafted request to the controller without providing any credentials. The lack of proper authentication checks allows the attacker to access the management interface and execute commands to alter or disable controls.

Prerequisites

Network access to the IQ BMS controller (port/protocol unspecified in advisory)
No credentials required

Remotely exploitableNo authentication requiredCritical CVSS score (10.0)No patch available from vendorAffects building management systems that control facility safety and comfort

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (7)

7 EOL

ProductAffected VersionsFix Status

IQ422: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)

IQ4E: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)

IQ412: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)

IQ4NC: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)

IQ41x: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)

IQ3: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)

IQECO: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9≥ Firmware v3.50 3.44|<4.36 build 4.3.7.9No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate the IQ BMS controller from the internet and untrusted networks by placing it behind a firewall that blocks inbound access from external sources

HARDENINGImplement network access controls (firewall rules) to restrict management access to the controller to authorized engineering workstations only

WORKAROUNDContact Honeywell support to determine if a workaround, configuration change, or alternative product exists to mitigate this authentication bypass

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access to the BMS is required, deploy a VPN gateway with strong encryption and multi-factor authentication, keeping the VPN software patched to the latest version

HARDENINGMonitor network traffic to and from the BMS controller for unauthorized connection attempts or anomalous commands

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: IQ422: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ4E: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ412: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ4NC: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ41x: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQ3: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, IQECO: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9. Apply the following compensating controls:

HARDENINGSegment the BMS network from the main business network using a separate VLAN or air-gapped network topology to prevent lateral movement from compromised IT systems

CVEs (1)

CVE-2026-3611

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e2cd9ebd-63e7-4b16-b983-83b4ead52763

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.