Critical infra Honeywell CCTVs vulnerable to auth bypass flaw

Source: Bleeping Computer

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a critical vulnerability in multiple Honeywell CCTV products that allows unauthorized access to feeds or account hijacking.

Discovered by researcher Souvik Kanda and tracked as CVE‑2026‑1670, the issue is classified as “missing authentication for critical function” and received a critical severity score of 9.8.

The flaw allows an unauthenticated attacker to change the recovery email address associated with a device account, enabling account takeover and unauthorized access to camera feeds.

“The affected product is vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the forgot password recovery email address,” – CISA.

Affected Models

CVE‑2026‑1670 impacts the following Honeywell models:

• I-HIB2PI-UL 2MP IP 6.1.22.1216
• SMB NDAA MVO-3 – WDR_2MP_32M_PTZ_v2.0
• PTZ WDR 2MP 32M – WDR_2MP_32M_PTZ_v2.0
• 25M IPC – WDR_2MP_32M_PTZ_v2.0

These mid‑level video surveillance products are typically used in small‑to‑medium business environments, offices, and warehouses, and may be part of critical facilities.

Mitigation Recommendations

• Minimize network exposure of control‑system devices.
• Isolate devices behind firewalls and segment them from general IT networks.
• Use secure remote‑access methods (e.g., updated VPN solutions) when remote connectivity is required.
• Contact Honeywell support for patch guidance: .

References

• CISA advisory:
• Honeywell NDAA‑compliant cameras:
• CVE‑2026‑1670 details: (tracked by CVE database)