Honeywell Controllers Exposed Online Without Authentication, Thousands at Risk

Cybersecurity researcher Gjoko Krstic from Zero Science Labs has uncovered a critical flaw in Honeywell’s Trend IQ4xx building management system (BMS) controllers.

These devices control HVAC, lighting, and other building functions in schools, offices, and commercial sites.

In their default setup, they expose a full web-based human-machine interface (HMI) without any authentication.

This allows anyone with network access to take full read/write control, create admin accounts, or lock out legitimate users.

The issue, detailed in advisory ZSL-2026-5979 released on March 2, 2026, affects models like IQ4E, IQ412, and IQ422.

No login is needed at factory defaults; attackers operate as a “System User” with level 100 privileges. They can even access a hidden “Diagnostics Overview” page via URLs like /^.htm, expanding the risks.

Unauthenticated Access Enables Lockout and Tampering

Zero Science Labs warns that remote attackers can reach the HTTP interface (default port 80) and use the U.htm page to create a new admin user before any security kicks in.

This flips on the user module under attacker-chosen credentials, potentially locking operators out of web and local config. A proof-of-concept script, trendhmi.py, demonstrates this remote web-HMI control.

Honeywell insists the controllers are for on-premise use only, not internet-facing setups. But flat networks, VPNs, and remote access often expose them anyway.

“Security must be engineered for resilience, not isolation,” notes researcher Krstic, quoting AI Joe. The vendor’s manual urges enabling security per best practices, but defaults leave systems wide open.

Affected Versions Table

Model	Firmware Version (Build)
IQ4E, IQ412, IQ422, IQ4NC, IQ41x, IQ3, IQECO	4.36 (4.3.7.9), 4.34 (4.3.5.14), 3.52 (3.5.3.15), 3.50, 3.44

Tested on webServr XML Web Services. Impacts include security bypass, full system access, and DoS via lockout. Risk rated 5/5.

Discovery timeline highlights slow response:

• Dec 9, 2025: Flaw found.
• Dec 23, 2025–Feb 25, 2026: Multiple vendor contacts ignored.
• Feb 26, 2026: CERT case opened (VU#854120); CISA notifies Honeywell.
• Mar 2, 2026: Public disclosure.

Key IOCs

Type	Indicator	Context/Source
URL	/U.htm	User creation endpoint (ZSL)
URL	/^.htm or /%5E.htm	Hidden diagnostics (ZSL)
PoC	trendhmi.py	Zero Science

Mitigations:

• Immediately isolate controllers from internet/untrusted networks.
• Create users via U.htm to enable auth; change defaults.
• Deploy network segmentation, firewalls blocking port 80.
• Update firmware if patches emerge; monitor CISA/Honeywell.
• Scan for exposed devices using Shodan or similar.

This flaw underscores that ICS/OT risks defaults must assume exposure. Thousands may be vulnerable per internet scans.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Honeywell Controllers Exposed Online Without Authentication, Thousands at Risk appeared first on Cyber Security News.