Cyber Resilience

CVE-2026-3611

CriticalUpdated

Published: 12 March 2026

Published
12 March 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0558 91.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-3611 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Honeywell Iq4E Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).

Deeper analysis

CVE-2026-3611 affects the Honeywell IQ4x building management controller, where the full web-based human-machine interface (HMI) is exposed without authentication in its factory-default configuration. Without a user module configured, security is disabled by design, allowing the system to operate under a System Guest (level 100) context that grants read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via the U.htm page, which remains accessible prior to any authentication setup.

A remote attacker with network access to the HTTP interface can exploit this vulnerability without authentication or privileges. By accessing U.htm, the attacker can create a new account with administrative read/write permissions, dynamically enabling the user module under attacker-controlled credentials. This grants the attacker full control over the controller's configuration and administration, potentially locking out legitimate operators from both local and web-based access.

CISA's ICS Advisory ICSA-26-069-03 details mitigation recommendations for this vulnerability, available at the provided references including the CSAF JSON file and CISA news event page. Honeywell contact information is also listed for further support.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write…

more

privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Unauthenticated access to public-facing web HMI enables exploitation (T1190) and creation of local administrative accounts (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25134Shared CWE-306
CVE-2026-42221Shared CWE-306
CVE-2025-27647Shared CWE-306
CVE-2025-11007Shared CWE-306
CVE-2025-26342Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306

Affected Assets

honeywell
iq4e firmware
≤ 3.30
honeywell
iq412 firmware
≤ 3.30
honeywell
iq422 firmware
≤ 3.30
honeywell
iq4nc firmware
≤ 3.30
honeywell
iq41x firmware
≤ 3.30

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly identifies and limits actions permitted without identification or authentication, preventing unauthenticated access to the HMI and U.htm for user creation and configuration changes.

prevent

Requires unique identification and authentication for organizational users, enforcing authentication on the web HMI to block unauthenticated read/write privileges and account creation.

prevent

Mandates secure account management processes including approval for creation and privilege assignment, preventing attackers from creating administrative accounts via the accessible U.htm page.

References