CVE-2026-3611 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: March 13, 2026
Honeywell IQ4x - Broken Access Control
Overview
Honeywell IQ4x building management controller contains a broken access control vulnerability caused by factory-default configuration exposing full web-based HMI without authentication, letting remote attackers create admin accounts and lock out legitimate users, exploit requires no prior authentication.
Severity & Score
Impact
Remote attackers can gain administrative access and lock out legitimate users, compromising system control and security.
Mitigation
Configure authentication before enabling web-based HMI or update to a version that enforces authentication by default.
References
Social Media Activity(2 posts)
šØ CRITICAL: CVE-2026-3611 impacts Honeywell IQ4E (v3.50_3.44) ā missing web HMI authentication lets remote attackers create admin accounts, lock out operators, and control building systems. Restrict access & create user accounts ASAP. https://radar.offseq.com/threat/cve-2026-3611-cwe-306-missing-authentication-for-c-2be1059b #OffSeq #ICS #Honeywell
View original post
š“ CVE-2026-3611 - Critical (10) The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Gu... š https://www.thehackerwire.com/vulnerability/CVE-2026-3611/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-3611
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- broken_access_control
- Status
- unconfirmed
- EPSS
- 13.2%
- Social Posts
- 2
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H