Researcher Gjoko Krstic reported a high-risk vulnerability in Honeywellβs IQ4 building management controller that can expose its web HMI without authentication in factory-default setups and allow a remote actor to create an administrator account if a user module is not enabled. Honeywell disputes the severity, saying IQ4 devices are delivered unconfigured for on-premises installation and security is enabled during setup, while Krstic says he found about 7,500 internet-exposed instances with an estimated 20% accessible without authentication. #Honeywell #IQ4
Keypoints
- The IQ4 web HMI can be exposed without authentication in factory-default configurations, according to the researcher.
- If a user module isnβt enabled, an attacker with management interface access could create an admin account.
- Krstic identified roughly 7,500 internet-exposed IQ4 instances and estimates about 20% lack authentication.
- Honeywell says the scenario only applies during brief installation phases and that normal setup by trained technicians enables security by default.
- A CVE is pending and the researcher has reached out to CERT/CC; SecurityWeek confirmed internet exposure but not all claimed impacts.