Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Honeywell IQ4x BMS Controller Missing authentication for critical function
Vulnerability Description
The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Honeywell IQ4x 访问控制错误漏洞
Vulnerability Description
Honeywell IQ4x是美国Honeywell公司的一系列楼宇自动化系统中的网络控制器。 Honeywell IQ4x存在访问控制错误漏洞,该漏洞源于默认配置下未启用身份验证,可能导致远程用户创建具有管理权限的账户。
CVSS Information
N/A
Vulnerability Type
N/A