A SecurityWeek report centres on a dispute over a high‑risk vulnerability in Honeywell’s IQ4 building management controller, with researcher Gjoko Krstic claiming thousands of internet‑exposed IQ4 interfaces. Krstic says nearly 7,500 internet‑exposed instances exist and that around 20% can be accessed without authentication, and he asserts he was able to write changes to control equipment in installations where accounts had not yet been created.
The vendor disputes the severity and impact, arguing that IQ4 devices are delivered unconfigured for on‑premises use and should not be internet‑exposed; according to Honeywell, the described scenario could only occur during installation or if security settings were deliberately disabled. SecurityWeek has independently confirmed that many IQ4 interface instances are accessible online, and Krstic says a CVE for the vulnerability is pending.
The researcher reported the findings to Honeywell in December 2025 and has reached out to CERT/CC at Carnegie Mellon University as part of the disclosure process. Threat actors are said to target building automation systems, according to cybersecurity firms.