Honeywell Trend IQ4 controllers may expose building controls online with no login

Thousands of Honeywell Trend IQ4 building-management controllers may be reachable over the internet without authentication if installers leave them in a factory-default style configuration, according to a new researcher advisory. The claim centers on systems where no user module has been configured, which can leave the web-based HMI exposed and allow anyone with network access to interact with it.

The most important nuance is that Honeywell disputes the severity and says this should only happen during installation or if security settings were deliberately disabled. In a statement quoted by SecurityWeek, Honeywell said IQ4 devices are delivered unconfigured, set up by trained technicians, and become secure during normal installation. The researcher strongly disagrees and says he identified nearly 7,500 internet-exposed instances, with about 20% accessible without authentication. SecurityWeek said it confirmed many IQ4 interfaces were exposed online, but did not independently verify all of the researcher’s claims.

That makes this less clear-cut than a normal “patched CVE” story. At this stage, the issue looks like a mix of risky default exposure, deployment weakness, and disputed vendor severity, rather than a fully acknowledged software flaw with a published fix. The coordination path reportedly includes CERT/CC case VU#854120, and the researcher says a CVE is pending.

What the researcher says is happening

The researcher advisory says the affected Trend IQ4xx controllers expose the full Web HMI without requiring authentication when no user module is configured. In that state, the web interface reportedly runs as a high-privilege system user, which could allow read and write access to controller functions through the browser interface.

The advisory also says the controller’s U.htm page can be reached before authentication is enabled. According to the researcher, that means an attacker who reaches the interface may create a new administrative user first, turn on the user module under attacker-controlled credentials, and effectively lock out legitimate operators from both local and web access.

Another detail in the advisory involves a hidden Diagnostics Overview endpoint at /^.htm or /%5E.htm, which may expand the exposed functionality available to an attacker who can reach the controller. A proof-of-concept script called trendhmi.py has also been referenced publicly.

What Honeywell says

Honeywell’s response, as quoted by SecurityWeek, pushes back hard on the researcher’s framing. The company said, “IQ4 devices are delivered unconfigured and are set up by trained technicians before they become operational.” Honeywell added that the scenario described by the researcher “could only occur during a brief installation phase, before the system is active, or if security settings were deliberately disabled against clear warnings.”

Honeywell also said, “At that stage, the device cannot monitor or control any equipment, and there is no impact on operations.” The vendor further argued that “when installed using normal processes, security is automatically enabled as part of a secure-by-default design.”

The researcher disputes those points and told SecurityWeek he had seen installations where no user account had been created, yet he could still make changes to things like lighting, temperature, boilers, and chillers. SecurityWeek said it verified that many IQ4 interfaces were exposed online, but did not verify those operational-impact claims itself.

At a glance

Why this matters

These devices sit in building management systems, which often control HVAC, lighting, and other physical functions inside schools, offices, hospitals, and industrial facilities. If a controller’s web interface is open online with no authentication, the risk goes beyond simple information exposure. Depending on deployment and permissions, an attacker may be able to alter settings, disrupt operations, or lock out legitimate operators.

The story also fits a bigger OT security pattern. Products designed for on-premises use often become internet-reachable through convenience, rushed deployment, or flat network design. Even when vendors say devices should never face the public internet, researchers and journalists keep finding them exposed anyway. In this case, SecurityWeek said it confirmed that many IQ4 interfaces were indeed exposed online.

Reported affected products and versions

These product and version details come from the researcher advisory echoed in multiple reports. I did not find a public Honeywell advisory page confirming this exact affected-version table.

What organizations should do now

• Remove direct internet exposure. Honeywell says IQ4 is intended for on-premises use, not public internet access. Keep controller web interfaces behind VPN, allowlists, or dedicated management paths only.
• Verify that authentication is actually enabled. Confirm that a proper user module and web user exist, and test whether unauthenticated access to the HMI or U.htm remains possible. This step follows directly from the researcher’s reported access path.
• Segment OT and BMS networks. Do not leave building automation systems on flat corporate networks or broad remote-access paths. Honeywell’s Trend security best-practice document emphasizes secure deployment and controlled network access.
• Watch for suspicious HTTP requests. Hunt for requests to U.htm, /^.htm, or /%5E.htm, plus unexpected creation of new admin users. Those are strong indicators if you suspect exposure.
• Inventory exposed controllers. Identify Trend IQ systems, verify firmware, and review access-rights configuration against Honeywell guidance.

FAQ