Critical Authentication Bypass in Honeywell CCTV Products Allows Remote Account Takeover
Take action: Make sure your CCTV cameras are isolated from the internet and accessible from trusted networks only. Then check your Honeywell CCTV firmware versions and contact their support for patches.
Learn More
CISA and Honeywell report a critical security flaw in several CCTV camera models that allows unauthenticated attackers to take over devices remotely.
The vulnerability is tracked as CVE-2026-1670 (CVSS score 9.8) - A missing authentication vulnerability in a critical API endpoint that manages password recovery settings. An attacker can send a direct request to the exposed endpoint to change the "forgot password" recovery email address without any credentials. By redirecting the recovery email to an address they control, the attacker can then use the standard password reset process to gain full administrative access to the camera.
Beyond privacy violations, a compromised camera serves as a persistent foothold within a corporate network, allowing attackers to scan for other vulnerable devices. Because these cameras are often deployed in critical infrastructure and commercial buildings, the risk of physical security breaches or operational disruption is high.
Affected models include the I-HIB2PI-UL 2MP IP (version 6.1.22.1216) and the SMB NDAA MVO-3 (version WDR_2MP_32M_PTZ_v2.0).
The PTZ WDR 2MP 32M and the 25M IPC running version WDR_2MP_32M_PTZ_v2.0 are also vulnerable to this remote exploit.
The Honeywell HIB2PI product has been discontinued since April 2025.
Honeywell recommends that affected users contact their official support team to get patch information and firmware updates. To mitigate immediate risk and for devices that are no longer supported, administrators should isolate CCTV networks from the internet and place them behind firewalls. If remote access is necessary, organizations should use a Virtual Private Network (VPN).
