CISA warns of a critical 9.8-severity vulnerability (CVE-2026-1670) in multiple Honeywell CCTV products that allows unauthenticated attackers to change recovery emails and take over camera accounts. The flaw stems from an exposed unauthenticated API endpoint affecting several mid-level Honeywell camera models; users should minimize network exposure and contact Honeywell support for patch guidance. #Honeywell #CVE-2026-1670
Keypoints
- CVE-2026-1670 is classified as “missing authentication for critical function” and has a 9.8 severity score, discovered by Souvik Kanda.
- An unauthenticated API endpoint can be abused to change the “forgot password” recovery email, enabling account takeover and access to camera feeds.
- The advisory lists affected models such as I-HIB2PI-UL 2MP, SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0, and related PTZ WDR 2MP families.
- CISA reported no known public exploitation as of February 17 and recommends isolating control system devices behind firewalls and minimizing network exposure.
- Honeywell has not yet published a specific advisory; users are advised to contact Honeywell support and use secure remote access methods like updated VPNs until patches are available.