The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a critical vulnerability in multiple Honeywell CCTV products that allows unauthorized access to feeds or account hijacking.
Discovered by researcher Souvik Kanda and tracked as CVE-2026-1670, the security issue is classified as “missing authentication for critical function,” and received a crtical severity score of 9.8.
The flaw allows an unauthenticated attacker to change the recovery email address associated with a device account, enabling account takeover and unauthorized access to camera feeds.
“The affected product is vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address,” CISA says.
According to the security advisory, CVE-2026-1670 impacts the following models:
I-HIB2PI-UL 2MP IP 6.1.22.1216
SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0
PTZ WDR 2MP 32M WDR_2MP_32M_PTZ_v2.0
25M IPC WDR_2MP_32M_PTZ_v2.0
Honeywell is a major global supplier of security and video surveillance equipment with a broad range of CCTV camera models and related products deployed in commercial, industrial, and critical infrastructure settings worldwide.
... continue reading