Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Missing Authentication in Honeywell CCTV Password Recovery API

IdentifiersCVE-2026-1670CWE-306· Missing Authentication for…

CVE-2026-1670 is a critical missing-authentication vulnerability in multiple Honeywell CCTV products. The issue is caused by exposure of an unauthenticated API endpoint tied to the device's "forgot password" workflow. An attacker can remotely invoke this endpoint without valid credentials to change the password recovery email address associated with the device account. After replacing the recovery address with one under attacker control, the attacker can trigger the password reset process and obtain administrative control of the affected device. Reported affected products include Honeywell I-HIB2PI-UL 2MP IP version 6.1.22.1216 and several camera lines running firmware WDR_2MP_32M_PTZ_v2.0, including SMB NDAA MVO-3, PTZ WDR 2MP 32M, and 25M IPC. CISA characterizes the flaw as "missing authentication for critical function" and assigns CVSS v3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to full account takeover of the affected CCTV device by allowing an attacker to redirect password recovery to an attacker-controlled email address and reset the administrative password. This can provide unauthorized access to camera feeds and device management functions. The advisory material also notes the compromised device could serve as a pivot point for broader network compromise, particularly where surveillance devices are reachable from enterprise or operational networks.

Mitigation

If you can’t patch tonight, do this now.

Until patches are available, minimize exposure of affected cameras and ensure they are not directly accessible from the Internet. Place devices behind firewalls, isolate them from business networks through segmentation, and restrict management access to trusted networks only. Where remote access is required, use secure VPN-based access and keep VPN infrastructure updated. Perform impact analysis and risk assessment before operational changes in ICS/OT environments.

Remediation

Patch, then assume compromise.

Apply Honeywell firmware updates or vendor-provided fixes when available. Content provided indicates Honeywell stated that no fix was currently available for I-HIB2PI-UL at the time of its notice and that a patch was being developed. Organizations should contact Honeywell support for model-specific patch guidance and update affected devices promptly once corrected firmware is released.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
HoneywellI-Hib2pi-Ulhardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app
security affairsNews
Feb 22, 2026
Security Affairs newsletter Round 564 by Pierluigi Paganini - INTERNATIONAL EDITION

A critical authentication bypass vulnerability affecting Honeywell CCTV systems, significant enough to prompt a CISA alert.

Read more
scworldNews
Feb 20, 2026
CISA urges Honeywell CCTV camera owners to patch critical vulnerability | SC Media

A critical missing-authentication vulnerability in multiple Honeywell CCTV camera models that could allow unauthenticated access to camera feeds and account takeover via recovery email changes.

Read more
cyber security newsNews
Feb 19, 2026
CISA Warns of Honeywell CCTV Products Vulnerability Leads to Account Takeovers

A critical missing-authentication flaw in Honeywell CCTV/IP camera products that allows an unauthenticated attacker to change the account password-recovery email and then reset the password to hijack the administrative account, enabling unauthorized access to camera feeds and potential network pivoting.

Read more
bleeping computerNews
Feb 18, 2026
Critical infra Honeywell CCTVs vulnerable to auth bypass flaw

A critical missing-authentication flaw in Honeywell CCTV products exposing an unauthenticated API endpoint that allows remote change of the account 'forgot password' recovery email, enabling account takeover and unauthorized access to camera feeds.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity23

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-1670
NVD
nvd.nist.gov/vuln/detail/CVE-2026-1670
MITRE CWE · CWE-306
Missing Authentication for Critical Function
github.com
github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-048-04.json
cisa.gov
cisa.gov/news-events/ics-advisories/icsa-26-048-04
honeywell.com
honeywell.com/us/en/contact/support