"According to Krstic, the product exposes its web-based human-machine interface (HMI) without authentication in its factory-default configuration. The researcher also found that if the product is not properly configured and a user module is not enabled during setup, a remote attacker who has access to the management interface can create an account with administrator permissions, before legitimate users set up their accounts."
"IQ4 devices are delivered unconfigured and are set up by trained technicians before they become operational. The scenario described by the researcher could only occur during a brief installation phase, before the system is active, or if security settings were deliberately disabled against clear warnings. At that stage, the device cannot monitor or control any equipment, and there is no impact on operations."
Cybersecurity researcher Gjoko Krstic identified critical vulnerabilities in Honeywell's IQ4 building management controller. The product exposes its web-based interface without authentication in factory-default configuration and allows remote attackers to create administrator accounts if a user module is not enabled during setup. This could lock legitimate operators out of system configuration and administration, potentially affecting schools and commercial buildings. Krstic reported findings to Honeywell in December 2025. Honeywell disputes the severity, stating the IQ4 is designed for on-premises use and the vulnerability only occurs during brief installation phases before the system becomes operational, with no impact on actual operations.
#building-management-systems #vulnerability-disclosure #authentication-security #industrial-control-systems #vendor-dispute
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]