Honeywell Controllers Widely Exposed Without Authentication
Security researchers at Zero Science Lab have disclosed a critical vulnerability in Honeywell’s Trend IQ4xx series of Building Management System (BMS) controllers, revealing that the devices expose their full web-based Human-Machine Interface (HMI) without any authentication in their factory-default configuration.
The advisory, tracked as ZSL-2026-5979, was publicly released on March 2, 2026, after months of limited vendor engagement.
No Auth by Default – By Design
The Honeywell IQ4xx series controllers are widely deployed in commercial buildings, schools, and industrial facilities to manage HVAC systems, energy controls, and scalable I/O operations supporting up to 192 I/O points.
They operate over Ethernet and TCP/IP, support BACnet over IP, and serve as central nodes in unified building automation networks.
The core flaw lies in how the controller handles its default state. When no user module is configured, security is entirely disabled, and the system runs under a System User context at privilege level 100 – granting full read/write access to anyone who can reach the HTTP interface.
Authentication is enabled only after a web user is created manually via theU.htm endpoint.
Critically, that same U.htm page is accessible before authentication is in place. This means a remote attacker can visit the page, create an administrator account with attacker-controlled credentials, and instantly lock out legitimate operators from both local and web-based management, a complete administrative takeover.
A hidden diagnostics endpoint (/^.htm or /%5E.htm) was also identified, further expanding the available attack surface for unauthenticated users, as reported by Zero Science Lab.
Affected Versions
| Model | Firmware Version |
|---|---|
| IQ4E, IQ412, IQ422 | 4.36 (build 4.3.7.9) |
| IQ4NC, IQ41x | 4.34 (build 4.3.5.14) |
| IQ3, IQECO | 3.52 (build 3.5.3.15), 3.50, 3.44 |
Honeywell’s PSIRT responded in late January 2026, stating the IQ4 controller is an on-premise product not intended for direct internet exposure, and recommended that only technically qualified personnel handle installation and configuration.
This response did not address the insecure default state itself.
With no CVE assignment or patch forthcoming, researchers escalated the case through CERT/CC (VU#854120) and notified CISA on February 26, 2026. Honeywell had not responded by the advisory’s public release date.
A proof-of-concept script, trendhmi.py, was published alongside the advisory, demonstrating unauthenticated HMI interaction.
Mitigation Recommendations
- Immediately create a web user account via
U.htmto activate authentication on all deployed IQ4xx controllers - Isolate BMS controllers on dedicated, firewalled network segments
- Disable remote access pathways unless strictly required
- Audit all flat network environments where IQ4xx devices may be reachable
- Monitor CISA and Honeywell advisories for official patch releases