A researcher has identified a potentially serious vulnerability in a Honeywell building management controller, though Honeywell disputes the severity and impact of this discovery.
Cybersecurity expert Gjoko Krstic, well-recognized for his work on building control systems and discovering significant vulnerabilities, has been examining Honeywell's IQ4 controller.
Krstic claims that the product's web-based human-machine interface (HMI) is exposed without authentication when in its factory-default settings.
The researcher also discovered that if the product is not configured correctly and a user module is not enabled during setup, a remote attacker with access to the management interface could create an administrator account before legitimate users establish their own accounts.
"This action can effectively lock legitimate operators out of local and web-based configuration and administration," Krstic stated in an advisory published this week.
He cautioned that the vulnerability could put schools, commercial buildings, and other facilities at risk if they use the affected building control system.
The issue was reported to Honeywell in December 2025. However, the company is not planning to release any patches, asserting that the IQ4 device is meant for on-premises use and should not be exposed to the internet.
"IQ4 devices are delivered unconfigured and are set up by trained technicians before they become operational," Honeywell explained in a statement to SecurityWeek. "The scenario described by the researcher could only occur during a brief installation phase, before the system is active, or if security settings were deliberately disabled against clear warnings."
Honeywell added, "At that stage, the device cannot monitor or control any equipment, and there is no impact on operations. Any installation issue can be resolved through a standard reset, and when installed using normal processes, security is automatically enabled as part of a secure-by-default design."
Despite this, Krstic disagrees with Honeywell's assessment. He claims to have found nearly 7,500 instances of the product exposed to the internet, with about 20% accessible without authentication.
Krstic also disputes Honeywell's assertion that the device cannot monitor or control equipment if not fully set up. "I've seen installations where the user account has not been created and I was able to make changes to components like lighting and temperature, turn off the boiler or chiller, and perform other operations on control equipment," Krstic told SecurityWeek.
SecurityWeek confirms that many IQ4 interfaces are exposed to the internet, though it has not verified the other claims.
Krstic noted that a CVE for the vulnerability is pending. He has also contacted the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, which often helps mediate vulnerability disclosures.
Cybersecurity firms report that building automation systems are frequently targeted in attacks by threat actors.
