By rssfeeds-admin 
These devices control HVAC, lighting, and other building functions in schools, offices, and commercial sites.
In their default setup, they expose a full web-based human-machine interface (HMI) without any authentication.
This allows anyone with network access to take full read/write control, create admin accounts, or lock out legitimate users.
The issue, detailed in advisory ZSL-2026-5979 released on March 2, 2026, affects models like IQ4E, IQ412, and IQ422.
No login is needed at factory defaults; attackers operate as a “System User” with level 100 privileges. They can even access a hidden “Diagnostics Overview” page via URLs like /^.htm, expanding the risks.
Unauthenticated Access Enables Lockout and Tampering
Zero Science Labs warns that remote attackers can reach the HTTP interface (default port 80) and use the U.htm page to create a new admin user before any security kicks in.
This flips on the user module under attacker-chosen credentials, potentially locking operators out of web and local config. A proof-of-concept script, trendhmi.py, demonstrates this remote web-HMI control.
Honeywell insists the controllers are for on-premise use only, not internet-facing setups. But flat networks, VPNs, and remote access often expose them anyway.
“Security must be engineered for resilience, not isolation,” notes researcher Krstic, quoting AI Joe. The vendor’s manual urges enabling security per best practices, but defaults leave systems wide open.
Affected Versions Table
| Model | Firmware Version (Build) |
|---|---|
| IQ4E, IQ412, IQ422, IQ4NC, IQ41x, IQ3, IQECO | 4.36 (4.3.7.9), 4.34 (4.3.5.14), 3.52 (3.5.3.15), 3.50, 3.44 |
Tested on webServr XML Web Services. Impacts include security bypass, full system access, and DoS via lockout. Risk rated 5/5.
Discovery timeline highlights slow response:
- Dec 9, 2025: Flaw found.
- Dec 23, 2025–Feb 25, 2026: Multiple vendor contacts ignored.
- Feb 26, 2026: CERT case opened (VU#854120); CISA notifies Honeywell.
- Mar 2, 2026: Public disclosure.
Key IOCs
| Type | Indicator | Context/Source |
|---|---|---|
| URL | /U.htm | User creation endpoint (ZSL) |
| URL | /^.htm or /%5E.htm | Hidden diagnostics (ZSL) |
| PoC | trendhmi.py | Zero Science |
Mitigations:
- Immediately isolate controllers from internet/untrusted networks.
- Create users via U.htm to enable auth; change defaults.
- Deploy network segmentation, firewalls blocking port 80.
- Update firmware if patches emerge; monitor CISA/Honeywell.
- Scan for exposed devices using Shodan or similar.
This flaw underscores that ICS/OT risks defaults must assume exposure. Thousands may be vulnerable per internet scans.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Honeywell Controllers Exposed Online Without Authentication, Thousands at Risk appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.