← Back to home
ICSA-26-069-03  ·  Published 2026-03-26  ·  View on CISA ICS-CERT ↗

Honeywell IQ4 Series BMS Controller (Update A)

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of this vulnerability could allow an unauthorized attacker to access controller management settings, control components, disclose information, or cause a denial-of-service condition.

CVEs (1)

Remediations

  • Version 3.30, released June 2015, and later force users to install a user module upon the commissioning of the device. This user module enables authentication and other security features for the web interface. When updating previously commissioned devices to firmware versions 3.30 or later (current version is 4.3x), users are not forced to install a user module unless they have changed their device configuration files after updating the firmware version. Honeywell recommends that users check their firmware versions and ensure that a user module has been set up to enable device security features, even if they are running firmware version 3.30 or later.
  • Honeywell recommends that users with affected products take the following steps:
  • Apply product updates as available.
  • Follow guidance in the product security manual to ensure isolation of network segments hosting building automation controllers.
  • Ensure adequate security controls are in place between OT and IT segments.
  • Disable unnecessary accounts and services.
  • Restrict system access to authorized personnel only and follow a least privilege approach.
  • Apply defense-in-depth strategies.
  • Log and monitor network traffic for suspicious activity.
  • For IQ4 Series controllers, ensure the latest available firmware version is utilized. The latest firmware may be obtained from a dealer or the Trend Partner Network https://partners.trendcontrols.com/signin (login required).
  • Follow the Security Best Practice for Trend Products included with product documentation. Additional copies may be obtained from a dealer or the Trend Partner Network https://partners.trendcontrols.com/signin (login required).

Affected Vendors

Honeywell

Affected Products (5)

Honeywell · IQ4E Firmware <v3.30
Honeywell · IQ412 Firmware <v3.30
Honeywell · IQ422 Firmware <v3.30
Honeywell · IQ4NC Firmware <v3.30
Honeywell · IQ41x Firmware <v3.30

Affected Sectors

Commercial Facilities, Critical Manufacturing, Government Services and Facilities, Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more