PatchSiren cyber security CVE debrief
CVE-2026-3611 Honeywell CVE debrief
CVE-2026-3611 describes a critical access-control weakness in Honeywell IQ4 Series building management controllers prior to version 3.30. In the factory-default configuration, the web HMI can be reached without authentication when no user module is configured, and the advisory states that this results in System Guest (level 100) read/write access to the HTTP interface. The same interface can be used to create a new administrative account, enable the user module, and force authentication under attacker-controlled credentials, which can lock legitimate operators out of the controller.
- Vendor
- Honeywell
- Product
- IQ4E Firmware
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-26
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-26
Who should care
Building automation and OT teams responsible for Honeywell IQ4 Series controllers, especially site operators, facilities teams, system integrators, and security staff managing BMS network segmentation and controller commissioning.
Technical summary
According to the CISA CSAF advisory, Honeywell IQ4 Series controllers prior to v3.30 expose a web-based HMI without authentication in the factory-default state. If no user module is configured, the controller operates as System Guest (level 100) with read/write privileges for anyone who can reach the HTTP interface. The advisory further says an unauthenticated party can create an administrative account, enable the user module, and impose authentication with attacker-controlled credentials, effectively preventing legitimate access.
Defensive priority
Immediate
Recommended defensive actions
- Upgrade affected controllers to firmware version 3.30 or later, or the latest available firmware recommended by Honeywell.
- Verify that a user module is installed and authentication is enforced on each commissioned controller.
- Review previously commissioned devices after updates to confirm the security features actually remain enabled.
- Restrict access to controller web interfaces to authorized management networks only.
- Segment building automation networks from IT networks and apply defense-in-depth controls.
- Log and monitor controller and network activity for unauthorized access or account-creation attempts.
Evidence notes
This debrief is grounded in the CISA CSAF advisory ICSA-26-069-03, published 2026-03-10 and updated 2026-03-26 (Update A). The source describes affected versions as prior to 3.30, notes the factory-default unauthenticated web HMI behavior, and explains that creating a web user enables the user module and authentication. The remediation section states that version 3.30, released June 2015, and later force user-module installation on commissioning, and it recommends network isolation, least privilege, and monitoring. No exploit code or offensive reproduction details were used.
Official resources
-
CVE-2026-3611 CVE record
CVE.org
-
CVE-2026-3611 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA CSAF advisory ICSA-26-069-03 was initially published on 2026-03-10 and updated on 2026-03-26 (Update A).