CVE-2026-1670

Name of the Vulnerable Software and Affected Versions Honeywell CCTV products versions prior to firmware updates addressing CVE-2026-1670 Honeywell I-HIB2PI-UL 2MP IP (6.1.22.1216) Honeywell SMB NDAA MVO-3, PTZ WDR 2MP 32M, 25M IPC (WDR 2MP 32M PTZ v2.0)

Description The affected products are vulnerable to an unauthenticated API endpoint exposure. This allows an attacker to remotely change the "forgot password" recovery email address, potentially leading to full account takeover and unauthorized access to camera feeds. The issue is rated as critical with a CVSS score of 9.8. The vulnerability impacts systems deployed in commercial, industrial, and critical infrastructure environments globally.

The vulnerable API endpoint does not require authentication, enabling an attacker to modify the email address associated with password recovery. This allows the attacker to initiate a password reset and gain control of the account. The recovery email is the key parameter exploited through the exposed API endpoint.

Recommendations Apply firmware updates addressing CVE-2026-1670 as soon as they become available. Remove internet exposure for affected cameras. Segment affected cameras on a network to limit access. Enforce secure remote access to affected cameras. As a temporary workaround, consider restricting access to the vulnerable API endpoint.