Thousands of Honeywell Controllers Exposed Online Without Authentication
Recent findings have revealed that thousands of Honeywell building-management controllers are accessible online without requiring authentication. This exposure allows unauthorized individuals to manipulate web-based controls, potentially leading to unauthorized changes and operator lockouts.
Zero Science Lab has issued advisory ZSL-2026-5979, dated March 2, 2026, highlighting an unauthenticated access vulnerability in Honeywell’s Trend IQ4xx Building Management System (BMS) controllers when left in their factory-default settings.
The Trend IQ4 series is extensively utilized for building automation and HVAC control, supporting protocols like Ethernet/TCP/IP and BACnet/IP. These controllers are scalable, accommodating large input/output configurations suitable for commercial environments.
According to the advisory, if no user module is configured, the controller’s full Web Human-Machine Interface (HMI) becomes accessible without authentication. In this default state, the system operates under a high-privilege System User (level 100) context. Consequently, anyone with access to the HTTP interface can obtain read/write permissions through the Web HMI.
A significant concern is that authentication enforcement only occurs after a web user is created via the U.htm page, which dynamically enables the user module. The Zero Science Lab advisory indicates that the user-creation function is accessible prior to authentication. This loophole allows a remote attacker to establish a new administrative account and enable login with attacker-controlled credentials. Such unauthorized access can lead to the attacker taking over access controls and effectively locking out legitimate operators, both local and web-based.
Additionally, the advisory points out a hidden Diagnostics Overview endpoint accessible at /^.htm or /%5E.htm. This feature increases the exposed functionality for an attacker who can access the interface.
Zero Science Lab rates this issue at 5/5 risk, citing potential impacts such as security bypass, system access, and denial-of-service conditions. A proof-of-concept script (trendhmi.py) has been publicly referenced, and coordination efforts include CERT/CC case VU#854120, with the Cybersecurity and Infrastructure Security Agency (CISA) requesting a vendor evaluation.
Honeywell’s Product Security Incident Response Team (PSIRT) has responded, stating that the IQ4 series is intended for on-premises use and not for direct Internet exposure. They recommend qualified installation and adherence to the provided documentation.
The affected products include IQ4E, IQ412, IQ422, IQ4NC, IQ41x, IQ3, and IQECO, with impacted firmware versions such as 4.36 (build 4.3.7.9), 4.34 (build 4.3.5.14), 3.52 (build 3.5.3.15), 3.50, and 3.44.
Mitigation and Detection Strategies:
1. Remove Direct Internet Exposure: Block inbound access to controller web interfaces at the network perimeter. Restrict management access to Virtual Private Networks (VPNs) and allowlists, permitting only VPN traffic.
2. Properly Enable Controller Security: Create and enforce user modules, then verify that unauthenticated access to the Web HMI and U.htm is not possible.
3. Segment Operational Technology (OT) and BMS Networks: Isolate controllers from flat corporate networks and remote-access pathways to prevent unauthorized access.
4. Monitor for Suspicious HTTP Activity: Keep an eye out for requests to U.htm, /^.htm, or /%5E.htm, as well as the unexpected creation of new administrative users.
5. Inventory and Audit: Identify Trend IQ4xx devices within your network, confirm their firmware versions, and review access-rights configurations against Honeywell’s best-practice guidance (TP201331).
By implementing these mitigation and detection strategies, organizations can enhance the security of their Honeywell controllers and reduce the risk of unauthorized access and potential disruptions.
