Could this vulnerability have been prevented?

Yes, implementing proper authentication checks for critical functions and conducting regular security assessments could have identified and mitigated this issue before exploitation.

Critical Unauthenticated API Vulnerability in Honeywell CCTV Products (CVE-2026-1670)

A severe security flaw in Honeywell CCTV systems allows attackers to modify recovery emails without authentication, posing significant risks to organizations.

Published: February 18, 2026

Share this on:

Executive Summary

In February 2026, a critical vulnerability (CVE-2026-1670) was identified in Honeywell CCTV products, allowing unauthenticated attackers to remotely modify the 'forgot password' recovery email address via an exposed API endpoint. This flaw could lead to unauthorized access to camera feeds and potential network compromise. Affected models include I-HIB2PI-UL 2MP IP (version 6.1.22.1216), SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0, PTZ WDR 2MP 32M WDR_2MP_32M_PTZ_v2.0, and 25M IPC WDR_2MP_32M_PTZ_v2.0. (cvedetails.com)

The vulnerability underscores the importance of securing IoT devices, especially in critical infrastructure sectors. Organizations are urged to apply patches promptly and implement robust access controls to mitigate such risks.

Why This Matters Now

The rise in IoT device deployments has expanded the attack surface for cyber threats. This incident highlights the urgent need for organizations to prioritize the security of connected devices to prevent unauthorized access and potential data breaches.

Attack Path Analysis

An attacker exploited an unauthenticated API endpoint in Honeywell CCTV products to change the password recovery email, enabling unauthorized access to camera feeds. With this access, the attacker could escalate privileges, move laterally within the network, establish command and control channels, exfiltrate sensitive data, and potentially disrupt operations.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The attacker exploited an unauthenticated API endpoint to change the 'forgot password' recovery email address, allowing unauthorized access to the CCTV system.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-1670
CVSS 9.8
An unauthenticated API endpoint exposure in Honeywell CCTV Products allows remote attackers to change the 'forgot password' recovery email address, potentially leading to account takeovers and unauthorized access to camera feeds.
Affected Products:
Honeywell I-HIB2PI-UL 2MP IP – 6.1.22.1216
Honeywell SMB NDAA MVO-3 – WDR_2MP_32M_PTZ_v2.0
Honeywell PTZ WDR 2MP 32M – WDR_2MP_32M_PTZ_v2.0
Honeywell 25M IPC – WDR_2MP_32M_PTZ_v2.0
Exploit Status:
no public exploit
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-1670 https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-04 https://www.honeywell.com/us/en/contact/support

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Initial Access

T1078

Valid Accounts

Credential Access

T1539

Steal Web Session Cookie

Credential Access

T1552.007

Unsecured Credentials: Container API

Resource Development

T1583.006

Web Services

Credential Access

T1649

Steal or Forge Authentication Certificates

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Secure Software Development

Control ID: 6.4.1

The vulnerability indicates a lack of secure coding practices, leading to unauthenticated API endpoint exposure.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the entity's cybersecurity policy regarding access controls and authentication mechanisms.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights inadequate ICT risk management practices, particularly in securing critical functions against unauthorized access.

CISA ZTMM 2.0 – Identity

Control ID: Pillar 1

The exposure of unauthenticated API endpoints contradicts zero trust principles, emphasizing the need for strict identity verification.

NIS2 Directive – Security Measures

Control ID: Article 21

The incident reflects non-compliance with required security measures to prevent unauthorized access to network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Commercial Real Estate

Critical vulnerability in Honeywell CCTV systems enables unauthenticated account takeover and unauthorized camera access, compromising physical security monitoring across commercial properties.

Government Administration

Missing authentication in surveillance infrastructure creates critical security gaps allowing unauthorized access to sensitive government facility monitoring and potential network compromise.

Health Care / Life Sciences

CCTV vulnerability poses HIPAA compliance risks through unauthorized surveillance access, potentially exposing patient areas and enabling lateral movement into healthcare networks.

Banking/Mortgage

Financial institutions face severe risk from compromised surveillance systems enabling unauthorized facility monitoring and potential pathways for broader network infiltration attacks.

Sources

Honeywell CCTV Productshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-048-04
Verified

NVD - CVE-2026-1670https://nvd.nist.gov/vuln/detail/CVE-2026-1670

Verified

Honeywell Support Contacthttps://www.honeywell.com/us/en/contact/support

Verified

Frequently Asked Questions

The vulnerability highlights deficiencies in access control and authentication mechanisms, potentially violating standards like NIST SP 800-53 (AC-2) and ISO/IEC 27001 (A.9.4.2).

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access to the CCTV system would likely remain unaffected, as CNSF primarily focuses on post-compromise containment and segmentation.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges within the CCTV system could be constrained by limiting access to administrative functions based on strict identity-aware policies.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement to other networked devices would likely be limited by enforcing strict segmentation and monitoring east-west traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels could be constrained by continuous monitoring and control over network traffic.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts would likely be limited by enforcing strict egress policies and monitoring outbound traffic.

Impact (Mitigations)

The attacker's ability to disrupt operations and deploy ransomware could be constrained by limiting their access and movement within the network.

Impact at a Glance

Affected Business Functions

Security Monitoring
Surveillance Operations

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential unauthorized access to live and recorded surveillance footage.

Recommended Actions

• Implement Zero Trust Segmentation to restrict access between devices and limit lateral movement.
• Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts on vulnerable API endpoints.
• Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
• Regularly update and patch systems to mitigate known vulnerabilities and reduce the attack surface.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Unauthenticated API Vulnerability in Honeywell CCTV Products (CVE-2026-1670)

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-1670

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Valid Accounts

Steal Web Session Cookie

Unsecured Credentials: Container API

Web Services

Steal or Forge Authentication Certificates

Potential Compliance Exposure

PCI DSS 4.0 – Secure Software Development

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity

NIS2 Directive – Security Measures

Sector Implications

Commercial Real Estate

Government Administration

Health Care / Life Sciences

Banking/Mortgage

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads