What is CVE-2026-3611?

CVE-2026-3611 is a critical-severity vulnerability in Honeywell Iq3, classified under Missing Authentication for Critical Function. CVSS score: 10.0/10. Published 2026-03-12.

How severe is CVE-2026-3611?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Auth bypass in Honeywell Iq3

CVE-2026-3611

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a S…

Vulnerability class: Broken Authentication

EPSS: 0.002 (47.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Honeywell Iq3 — versions v3.50_3.44
Honeywell Iq412 — versions v3.50_3.44
Honeywell Iq412_firmware
Honeywell Iq41x — versions v3.50_3.44
Honeywell Iq41x_firmware
Honeywell Iq422 — versions v3.50_3.44
Honeywell Iq422_firmware
Honeywell Iq4e — versions v3.50_3.44
Honeywell Iq4e_firmware
Honeywell Iq4nc — versions v3.50_3.44

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

ics-cert@hq.dhs.gov (US Government Resource, Third Party Advisory)
ics-cert@hq.dhs.gov (Issue Tracking)
ics-cert@hq.dhs.gov (Product)

Frequently asked questions

What is CVE-2026-3611?: CVE-2026-3611 is a critical-severity vulnerability in Honeywell Iq3, classified under Missing Authentication for Critical Function. CVSS score: 10.0/10. Published 2026-03-12.
How severe is CVE-2026-3611?: Critical severity. CVSS v3 base score is 10.0 out of 10.