How can organizations mitigate the risk associated with this vulnerability?

Organizations should minimize network exposure of affected devices, isolate them behind firewalls, and use secure remote access methods such as updated VPN solutions. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/critical-infra-honeywell-cctvs-vulnerable-to-auth-bypass-flaw/?utm_source=openai))

Has Honeywell released a patch for this vulnerability?

As of February 17, 2026, Honeywell has not published an advisory on CVE-2026-1670. Users are advised to contact the company's support team for patch guidance. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/critical-infra-honeywell-cctvs-vulnerable-to-auth-bypass-flaw/?utm_source=openai))

Critical Vulnerability in Honeywell CCTV Products Exposes Unauthorized Access Risks

A newly discovered vulnerability in Honeywell CCTV systems allows unauthenticated attackers to hijack accounts and access camera feeds, posing significant security risks.

Published: February 18, 2026

Share this on:

Executive Summary

In February 2026, a critical vulnerability (CVE-2026-1670) was discovered in multiple Honeywell CCTV products, allowing unauthenticated attackers to remotely change the 'forgot password' recovery email address. This flaw enables unauthorized access to camera feeds and potential account hijacking. The affected models include I-HIB2PI-UL 2MP IP (version 6.1.22.1216), SMB NDAA MVO-3, PTZ WDR 2MP 32M, and 25M IPC, all running firmware version WDR_2MP_32M_PTZ_v2.0. (bleepingcomputer.com)

The vulnerability underscores the importance of securing IoT devices, especially those deployed in critical infrastructure. Organizations are advised to minimize network exposure of such devices, isolate them behind firewalls, and use secure remote access methods like updated VPN solutions. (bleepingcomputer.com)

Why This Matters Now

The CVE-2026-1670 vulnerability in Honeywell CCTV products highlights the urgent need for organizations to secure IoT devices, particularly those integral to critical infrastructure. Immediate action is required to prevent unauthorized access and potential exploitation.

Attack Path Analysis

An attacker exploited a critical authentication bypass vulnerability in Honeywell CCTV products, allowing unauthorized access to camera feeds. By changing the recovery email address associated with the device account, the attacker gained administrative control over the system. With elevated privileges, the attacker moved laterally to other networked devices. They established a command and control channel to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. The attack resulted in significant operational disruption and potential exposure of confidential information.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The attacker exploited an authentication bypass vulnerability (CVE-2026-1670) in Honeywell CCTV products, allowing unauthorized access to camera feeds.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-1670
CVSS 9.8
An unauthenticated API endpoint exposure in multiple Honeywell CCTV products allows remote attackers to change the 'forgot password' recovery email address, leading to potential account takeover and unauthorized access to camera feeds.
Affected Products:
Honeywell I-HIB2PI-UL 2MP IP – 6.1.22.1216
Honeywell SMB NDAA MVO-3 WDR_2MP_32M_PTZ – v2.0
Honeywell PTZ WDR 2MP 32M WDR_2MP_32M_PTZ – v2.0
Honeywell 25M IPC WDR_2MP_32M_PTZ – v2.0
Exploit Status:
no public exploit
References:
https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-04 https://www.bleepingcomputer.com/news/security/critical-infra-honeywell-cctvs-vulnerable-to-auth-bypass-flaw/

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Credential Access

T1556

Modify Authentication Process

Defense Evasion

T1211

Exploitation for Defense Evasion

Defense Evasion

T1550

Use Alternate Authentication Material

Credential Access

T1212

Exploitation for Credential Access

Initial Access

T1133

External Remote Services

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Strong Authentication for Users and Administrators

Control ID: 8.2.1

The vulnerability allows unauthorized access to camera feeds, indicating a failure to implement strong authentication mechanisms as required by PCI DSS.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the cybersecurity policy, particularly in access controls and authentication processes, as mandated by NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of the vulnerability indicates inadequate ICT risk management practices, contravening DORA's requirements for managing ICT risks.

CISA ZTMM 2.0 – Identity

Control ID: Pillar 1

The unauthorized access points to weaknesses in identity verification processes, undermining the Zero Trust principles outlined in CISA's ZTMM.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reflects a failure to implement appropriate cybersecurity risk management measures, as required by the NIS2 Directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

Critical infrastructure CCTV vulnerabilities enable unauthorized surveillance access, compromising physical security controls and violating zero trust network segmentation principles.

Utilities

Authentication bypass flaws in Honeywell surveillance systems expose power grids and water facilities to reconnaissance attacks and operational technology compromise.

Health Care / Life Sciences

CCTV security breaches threaten HIPAA compliance through unauthorized facility monitoring and potential lateral movement into sensitive medical network infrastructure.

Banking/Mortgage

Financial institution surveillance systems vulnerable to exploitation enabling physical security reconnaissance and potential coordination with cyber attacks on banking operations.

Sources

Critical infra Honeywell CCTVs vulnerable to auth bypass flawhttps://www.bleepingcomputer.com/news/security/critical-infra-honeywell-cctvs-vulnerable-to-auth-bypass-flaw/
Verified

Honeywell CCTV Products | CISAhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-048-04

Verified

CVE-2026-1670 : The affected products are vulnerable to an unauthenticated API endpoint exposurehttps://www.cvedetails.com/cve/CVE-2026-1670/

Verified

Frequently Asked Questions

The affected models include I-HIB2PI-UL 2MP IP (version 6.1.22.1216), SMB NDAA MVO-3, PTZ WDR 2MP 32M, and 25M IPC, all running firmware version WDR_2MP_32M_PTZ_v2.0. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/critical-infra-honeywell-cctvs-vulnerable-to-auth-bypass-flaw/?utm_source=openai))

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF would likely have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While initial unauthorized access may still occur, subsequent attacker actions would likely be constrained by enforced segmentation and access controls.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely be constrained by identity-aware policies limiting administrative access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely be constrained by enforced segmentation and monitoring of east-west traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be constrained by monitoring and controlling outbound communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts would likely be constrained by controlled egress policies and monitoring.

Impact (Mitigations)

The overall impact of the attack would likely be reduced due to constrained attacker actions and limited data exfiltration.

Impact at a Glance

Affected Business Functions

Physical Security Monitoring
Surveillance Operations

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Unauthorized access to live and recorded surveillance footage.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal network communications.
• Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
• Apply Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
• Regularly audit and update device firmware to mitigate known vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Vulnerability in Honeywell CCTV Products Exposes Unauthorized Access Risks

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-1670

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Modify Authentication Process

Exploitation for Defense Evasion

Use Alternate Authentication Material

Exploitation for Credential Access

External Remote Services

Potential Compliance Exposure

PCI DSS 4.0 – Strong Authentication for Users and Administrators

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Government Administration

Utilities

Health Care / Life Sciences

Banking/Mortgage

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads