CISA Warns: Honeywell CCTV Flaw Enables Remote Account Takeover

Home » News
Yash Shield
News
Reading time icon 3 min. read

Calendar icon Published on

CISA issued advisory ICSA-26-048-04 on February 17, 2026, warning of critical CVE-2026-1670 affecting Honeywell CCTV cameras. The authentication bypass (CVSS 9.8) lets unauthenticated attackers change password recovery email addresses remotely. Attackers gain admin access to live camera feeds after reset.

Security researcher Souvik Kandar discovered the missing authentication on a critical API endpoint. No login required to modify recovery email. Full account takeover follows via password reset to attacker-controlled email.

BEST WINTER DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Devices deployed worldwide in commercial facilities, critical infrastructure. No public exploits reported yet. Immediate mitigation essential due to trivial remote exploitation.

Vulnerability Details

Unauthenticated API endpoint exposes password recovery function. Attackers POST new email address directly. Legitimate reset emails route to attacker inbox.

Attack sequence:

  1. Discover exposed Honeywell camera IP
  2. POST /api/recovery-email with attacker email
  3. Trigger password reset via changed email
  4. Login with new credentials
  5. Full admin access to video feeds

Compromised cameras serve as network pivots. Attackers gain physical security visibility for further operations.

Affected Products List

Product NameAffected Version
I-HIB2PI-UL 2MP IP6.1.22.1216
SMB NDAA MVO-3WDR_2MP_32M_PTZ_v2.0
PTZ WDR 2MP 32MWDR_2MP_32M_PTZ_v2.0
25M IPCWDR_2MP_32M_PTZ_v2.0

Multiple IP and PTZ camera families vulnerable. Commercial facilities sector primary deployment.

Technical Impact Scope

ConsequenceRisk LevelDescription
Account TakeoverCriticalAdmin credentials compromised
Video Feed AccessCriticalLive surveillance exposed
Network PivotHighInternal network reconnaissance
Physical SecurityHighFacility layout mapping
Lateral MovementMediumVPN/remote access abuse

CVSS breakdown: Attack Vector Network, no privileges/user interaction required.

CISA Mitigation Guidance

Network segmentation:

  • Isolate control systems behind firewalls
  • Block direct Internet access to cameras
  • Separate OT from IT networks

Remote access:

  • Deploy updated VPN solutions only
  • Secure jump servers with MFA
  • Monitor VPN logs for anomalies

Immediate actions:

  • Scan perimeter for exposed cameras
  • Change all recovery email addresses
  • Implement network access controls

Honeywell patch status unavailable. Contact vendor support directly.

Exposure Assessment

Discovery risk:

textShodan: "Honeywell" port:80/443
Censys: "Server: Honeywell" country:US/EU

Internet-facing cameras:

  • Corporate headquarters
  • Retail chains
  • Manufacturing plants
  • Government facilities
  • Data centers

Physical security compromise enables targeted social engineering attacks.

Detection Indicators

Network traffic:

textPOST /api/recovery-email 200 OK
User-Agent: non-browser patterns
Recovery email changes without admin login

Log anomalies:

textPassword reset emails to unknown domains
Failed logins post-email change
Unusual geolocation for admin access

Vendor Response Status

CISA timeline:

  • Discovery: Souvik Kandar
  • Published: February 17, 2026
  • Exploitation: None reported
  • Patch: Honeywell support contact required

No public vendor advisory. Organizations must reach technical support directly.

Risk Prioritization Matrix

ExposureUrgencyAction
Internet-facingCriticalIsolate immediately
VPN accessibleHighMFA + network controls
Internal onlyMediumMonitor + vendor contact
Air-gappedLowRoutine patching

ICS Best Practices Reference

CISA recommendations:

texthttps://www.cisa.gov/uscert/ics
Isolate control systems
Minimize Internet exposure
Secure remote access
Vendor patch coordination

FAQ

What vulnerability affects Honeywell cameras?

CVE-2026-1670 missing authentication (CVSS 9.8). CISA ICSA-26-048-04

How do attackers exploit it?

Change recovery email unauthenticated, then reset password to controlled address.

Which products affected?

I-HIB2PI-UL 2MP, multiple PTZ models. Full list above.

Public exploits known?

No reports as of February 17, 2026.

Honeywell patch available?

Contact vendor support. No public advisory published.

Primary deployment sector?

Commercial facilities worldwide including critical infrastructure.

Immediate mitigation?

Isolate cameras from Internet, firewalls, secure VPN access only.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages