The U.S. Cybersecurity and Infrastructure Safety Company (CISA) is warning of a essential vulnerability in a number of Honeywell CCTV merchandise that enables unauthorized entry to feeds or account hijacking.
Found by researcher Souvik Kanda and tracked as CVE-2026-1670, the safety concern is classed as “lacking authentication for essential operate,” and obtained a crtical severity rating of 9.8.
The flaw permits an unauthenticated attacker to vary the restoration electronic mail tackle related to a tool account, enabling account takeover and unauthorized entry to digital camera feeds.
“The affected product is susceptible to an unauthenticated API endpoint publicity, which can enable an attacker to remotely change the “forgot password” restoration electronic mail tackle,” CISA says.
In line with the safety advisory, CVE-2026-1670 impacts the next fashions:
- I-HIB2PI-UL 2MP IP 6.1.22.1216
- SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0
- PTZ WDR 2MP 32M WDR_2MP_32M_PTZ_v2.0
- 25M IPC WDR_2MP_32M_PTZ_v2.0
Honeywell is a significant world provider of safety and video surveillance tools with a broad vary of CCTV digital camera fashions and associated merchandise deployed in business, industrial, and important infrastructure settings worldwide.
The corporate affords many NDAA-compliant cameras which might be appropriate for deployment in U.S. authorities businesses and federal contractors.
The particular mannequin households named in CISA’s advisory are mid-level video surveillance merchandise utilized in small to medium enterprise environments, workplaces, and warehouses, a few of which can be a part of essential amenities.
CISA said that as of February seventeenth there have been no recognized stories of public exploitation particularly concentrating on this vulnerability.
Nonetheless, the company recommends minimizing community publicity of management system units, isolating them behind firewalls, and utilizing safe distant entry strategies resembling up to date VPN options when distant connectivity is important.
Honeywell has not revealed an advisory on CVE-2026-1670, however customers are suggested to contact the corporate’s help group for patch steering.
Fashionable IT infrastructure strikes sooner than guide workflows can deal with.
On this new Tines information, find out how your group can scale back hidden guide delays, enhance reliability by automated response, and construct and scale clever workflows on high of instruments you already use.
