You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
bms security
About this tag
The bms security tag covers vulnerabilities and risks in building management system (BMS) controllers, particularly Honeywell IQ4 devices. A key thread discusses CVE-2026-3611, where IQ4 controllers ship with an unauthenticated web HMI, exposing critical infrastructure to attacks from untrusted networks. Topics include factory-default security gaps, HVAC and lighting controller risks, and the importance of securing BMS against remote exploitation. Discussions focus on enterprise IT and security implications for commercial, healthcare, and other facilities using these controllers.
Honeywell’s widely deployed IQ4 building-management controllers can ship in a factory-default state that exposes the full web HMI without authentication, creating an immediate, high-severity risk for any installation where the device is reachable from untrusted networks.
Background
The IQ4...