Honeywell Trend IQ4xx BMS Controller Unauthenticated Remote Web-HMI Control And Lockout
Title: Honeywell Trend IQ4xx BMS Controller Unauthenticated Remote Web-HMI Control And Lockout
Advisory ID: ZSL-2026-5979
Type: Local/Remote
Impact: Security Bypass, System Access, DoS
Risk: (5/5)
Release Date: 02.03.2026
Additionally, a hidden 'Diagnostics Overview' endpoint (/^.htm or /%5E.htm) is accessible through the interface, further expanding the exposed attack surface. While the vendor states the controller is intended for on-premise use and not direct Internet exposure, reliance on network isolation does not mitigate insecure default states. Operational environments frequently include flat network segments, remote access services, and integration pathways that expand reachability. Systems controlling critical building functions must enforce authentication and least-privilege controls by default, independent of deployment assumptions. This design leaves schools, commercial buildings, and other facilities vulnerable to unauthorized control, configuration tampering, and administrative lockout wherever network access is obtained. "Security must be engineered for resilience, not isolation." - AI Joe
From the manual, page 12:
3.3 Access Rights (Security)
"Controller security should always be enabled in line with the 'General Security Best Practice for Trend IP Based Products Information Sheet' (TP201331). You can login to the web interface using a user name and password that match one of the user modules defined in the controller's strategy. Once logged in your access rights will be determined by the user module configuration."
Firmware: 4.36 (build 4.3.7.9)
4.34 (build 4.3.5.14)
3.52 (build 3.5.3.15)
3.50
3.44
[23.12.2025] Vendor contacted.
[01.01.2026] Vendor responds asking more details.
[07.01.2026] Asked vendor how the authentication and the web/user module works in the controller.
[28.01.2026] No response from the vendor.
[29.01.2026] Asked vendor for status update and informed of exposure.
[30.01.2026] Honeywell PSIRT states: IQ4 is designed to be utilized as an on-premise product and is not intended to be directly accessible from the Internet. As the environments in which the product is installed have a great deal of technical variation, it is strongly recommended that persons engaged installation, configuration, and maintenance are technically qualified to understand and follow the product documentation.
[12.02.2026] Replied to the vendor.
[23.02.2026] Asked vendor to assign CVE and provided description details.
[25.02.2026] No response from the vendor.
[26.02.2026] Opened a case through cert.org, VU#854120.
[26.02.2026] CISA asks Honeywell for evaluation and reasoning of reported issue.
[02.03.2026] No response from the vendor.
[02.03.2026] Public security advisory released.
Web: https://www.zeroscience.mk
e-mail: [email protected]
Advisory ID: ZSL-2026-5979
Type: Local/Remote
Impact: Security Bypass, System Access, DoS
Risk: (5/5)
Release Date: 02.03.2026
Summary
The Honeywell IQ4 (Trend IQ4) is a line of intelligent building-management controllers designed to provide advanced unitary control, HVAC integration, and scalable I/O expansion for commercial environments. These controllers use Ethernet and TCP/IP networking with embedded XML, support BACnet over IP, and can expand up to 192 I/O points depending on the model, making them suitable for a wide range of plant-control applications. They offer multiple communication ports (Ethernet, USB, RS232, Wallbus), optional Trend current-loop neworking, and seamless compatability with other Trend IQ controllers - enabling unified, energy-efficient building automation across devices.Description
The IQ4xx building management controller, manufactured by Honeywell, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System User (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.Additionally, a hidden 'Diagnostics Overview' endpoint (/^.htm or /%5E.htm) is accessible through the interface, further expanding the exposed attack surface. While the vendor states the controller is intended for on-premise use and not direct Internet exposure, reliance on network isolation does not mitigate insecure default states. Operational environments frequently include flat network segments, remote access services, and integration pathways that expand reachability. Systems controlling critical building functions must enforce authentication and least-privilege controls by default, independent of deployment assumptions. This design leaves schools, commercial buildings, and other facilities vulnerable to unauthorized control, configuration tampering, and administrative lockout wherever network access is obtained. "Security must be engineered for resilience, not isolation." - AI Joe
From the manual, page 12:
3.3 Access Rights (Security)
"Controller security should always be enabled in line with the 'General Security Best Practice for Trend IP Based Products Information Sheet' (TP201331). You can login to the web interface using a user name and password that match one of the user modules defined in the controller's strategy. Once logged in your access rights will be determined by the user module configuration."
Vendor
Honeywell International Inc. - https://www.honeywell.comAffected Version
Model: IQ4E, IQ412, IQ422, IQ4NC, IQ41x, IQ3, IQECOFirmware: 4.36 (build 4.3.7.9)
4.34 (build 4.3.5.14)
3.52 (build 3.5.3.15)
3.50
3.44
Tested On
webServr (XML Web Services)Vendor Status
[09.12.2025] Vulnerability discovered.[23.12.2025] Vendor contacted.
[01.01.2026] Vendor responds asking more details.
[07.01.2026] Asked vendor how the authentication and the web/user module works in the controller.
[28.01.2026] No response from the vendor.
[29.01.2026] Asked vendor for status update and informed of exposure.
[30.01.2026] Honeywell PSIRT states: IQ4 is designed to be utilized as an on-premise product and is not intended to be directly accessible from the Internet. As the environments in which the product is installed have a great deal of technical variation, it is strongly recommended that persons engaged installation, configuration, and maintenance are technically qualified to understand and follow the product documentation.
[12.02.2026] Replied to the vendor.
[23.02.2026] Asked vendor to assign CVE and provided description details.
[25.02.2026] No response from the vendor.
[26.02.2026] Opened a case through cert.org, VU#854120.
[26.02.2026] CISA asks Honeywell for evaluation and reasoning of reported issue.
[02.03.2026] No response from the vendor.
[02.03.2026] Public security advisory released.
PoC
trendhmi.pyCredits
Vulnerability discovered by Gjoko Krstic - <[email protected]>References
[1] https://packetstorm.news/files/id/216430/Changelog
[02.03.2026] - Initial releaseContact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: [email protected]
