Critical vulnerability in Honeywell IQ4x Building Management System controllers allows unauthorized access to controller management settings without authentication. The vulnerability affects multiple IQ4x models in factory-default configuration where the web-based HMI is exposed without authentication, operating under System Guest privileges with read/write access. Attackers can create administrative accounts and lock out legitimate operators from local and web-based configuration. The CVSS score is 10.0 (Critical) with network-based attack vector requiring no privileges or user interaction. Honeywell has not yet released a fix for this vulnerability affecting worldwide critical infrastructure sectors including healthcare, manufacturing, and government facilities.