Critical Vulnerability Discovered in Honeywell’s Trend IQ4xx Building Management System
Security researchers from Zero Science Lab have unveiled a significant vulnerability affecting Honeywell’s Trend IQ4xx series of Building Management System (BMS) controllers. This alarming discovery indicates that the devices, shipped in their factory-default configurations, expose their entire web-based Human-Machine Interface (HMI) without any authentication, highlighting a severe security oversight.
The vulnerability, designated as ZSL-2026-5979, was officially disclosed on March 2, 2026, following several months of limited engagement with the vendor. This advisory raises serious concerns, particularly given the widespread use of these controllers in various settings, including commercial buildings, educational institutions, and industrial facilities.
No Authentication by Default—A Design Flaw
The Trend IQ4xx series controllers are integral to managing heating, ventilation, air conditioning (HVAC) systems, energy controls, and scalable input/output operations that can support up to 192 I/O points. These devices utilize Ethernet and TCP/IP protocols and support BACnet over IP, serving as crucial nodes in unified building automation networks.
The primary flaw resides in the default security posture of the controller. When no user module is configured initially, the system operates with no security measures in place, running under a System User context at a privilege level of 100. Such an arrangement grants any individual who can access the HTTP interface complete read and write permissions.
Importantly, authentication options only become available once a web user is manually created via the U.htm endpoint. However, this endpoint is accessible before any authentication measures are implemented. This configuration flaw allows potential remote attackers to visit the page, create an administrator account with credentials of their choosing, and effectively lock out legitimate operators from both local and web-based management. Thus, this sets the stage for a complete administrative takeover of the system.
Furthermore, researchers have identified a hidden diagnostics endpoint (/^.htm or /%5E.htm), which significantly broadens the attack surface for unauthorized users, as per the Zero Science Lab findings.
Affected Versions
The following models are affected by this vulnerability:
- IQ4E, IQ412, IQ422: Firmware Version 4.36 (build 4.3.7.9)
- IQ4NC, IQ41x: Firmware Version 4.34 (build 4.3.5.14)
- IQ3, IQECO: Firmware Versions 3.52 (build 3.5.3.15), 3.50, 3.44
Honeywell’s Product Security Incident Response Team (PSIRT) acknowledged the issue in late January 2026. They contended that the IQ4 controller is designed as an on-premise product meant to be shielded from direct internet exposure, advising that only technically adept personnel be responsible for installation and configuration. Unfortunately, this response did not address the inherent insecure default state of the device.
Despite efforts to escalate the matter through CERT/CC (VU#854120) and CISA, which were communicated on February 26, 2026, there was no acknowledgment or corrective action on Honeywell’s part by the time the advisory was made public.
To further illustrate the vulnerability, a proof-of-concept script, trendhmi.py, was made available alongside the advisory. This script demonstrates the ease with which unauthenticated users can interact with the HMI.
Mitigation Recommendations
In light of the discovered vulnerability, Zero Science Lab recommends several urgent mitigation strategies:
- Immediately create a web user account through
U.htmto activate authentication on all deployed IQ4xx controllers. - Isolate BMS controllers on dedicated, firewalled network segments to limit exposure.
- Disable remote access pathways unless essential for operations.
- Conduct audits of all flat network environments to identify reachable IQ4xx devices.
- Keep track of advisories from CISA and Honeywell for any forthcoming official patch releases.
Conclusion
The identification of this serious security flaw in Honeywell’s Trend IQ4xx series controllers sheds light on the critical need for robust security protocols in building management systems. The implications of such vulnerabilities are considerable, especially given the reliance on these devices in essential infrastructure. Awareness and immediate action are required to address this flaw to safeguard against unauthorized access and potential operational disruptions.