The Honeywell IQ4x building management controller is subject to a critical authentication bypass that allows unauthenticated attackers to gain full administrative control and lock out legitimate users.

In its default state, the device's HMI is exposed without authentication. Because the account creation function (U.htm) is accessible to unauthenticated users, an attacker can create an administrative account, which then enables the user module and locks the system under the attacker's credentials.

This vulnerability has a CVSS score of 10.0, the highest possible. An attacker can take complete control of building systems (HVAC, lighting, etc.) and effectively lock out legitimate operators. This poses significant risks to physical safety, operational continuity, and the security of the facility.

Immediate Action: Immediately enable the user module by creating a secure administrative account and updating the firmware to the latest version.

Proactive Monitoring: Scan the network for any Honeywell IQ4x devices that are still operating in a factory-default state or showing unauthorized administrative accounts.

Compensating Controls: Ensure that building management controllers are never exposed directly to the public internet and are protected by a VPN or a robust firewall.

Public Exploit Available: No

This is a critical flaw that requires immediate attention to prevent unauthorized physical infrastructure control. Administrators must ensure that all IQ4x controllers have authentication enabled and are updated to the latest firmware to mitigate this risk.