There is a particular brand of irony in having your network compromised through the device you installed to protect the building. That is what CVE-2026-1670 delivers: a critical authentication bypass in Honeywell CCTV systems that lets an unauthenticated attacker walk straight through your security camera — not physically, but digitally — and use it as a launchpad into the rest of your network.
No credentials required. No social engineering. No phishing campaign. Just a single unauthenticated API call to a forgotten endpoint, and the attacker owns the account. What happens next is where it gets interesting.
The Vulnerability: Strip Away the Jargon
CISA published advisory ICSA-26-048-04 on February 17, 2026. Security researcher Souvik Kandar discovered the flaw and reported it to the agency. The CVE is tracked as CVE-2026-1670, classified under CWE-306 — Missing Authentication for Critical Function — and scored at a CVSS v3.1 base score of 9.8 out of 10.
Here is what that actually means in plain terms.
Rather than cracking passwords or exploiting session tokens, attackers can directly alter the recovery email associated with a Honeywell CCTV account without ever being authenticated to the system. The device exposes an API endpoint — the kind that should require credentials before it does anything — that handles the "forgot password" recovery flow. It does not check who is calling it. Anyone who can reach the device on the network can send it a request telling it to change the recovery email to an address they control.
Once they do that, the attack chain is trivial:
- Call the unauthenticated endpoint and swap the recovery email to an attacker-controlled address.
- Trigger a standard "forgot password" reset.
- Receive the reset link at the attacker's inbox.
- Complete the password reset and log in as administrator.
- You now have full control of the camera — live feeds, recorded footage, configuration, and whatever network access that device has.
This level of access not only compromises the video feeds but could also serve as a pivot point for further network compromise within the facility.
The vulnerability affects four confirmed Honeywell models across specific firmware versions:
| Model | Affected Firmware | Note |
|---|---|---|
| Honeywell I-HIB2PI-UL 2MP IP | 6.1.22.1216 |
— |
| Honeywell SMB NDAA MVO-3 | WDR_2MP_32M_PTZ_v2.0 |
NDAA-Compliant |
| Honeywell PTZ WDR 2MP 32M | WDR_2MP_32M_PTZ_v2.0 |
— |
| Honeywell 25M IPC | WDR_2MP_32M_PTZ_v2.0 |
— |
The NDAA designation on the SMB NDAA MVO-3 is worth noting. NDAA-compliant cameras are specifically marketed and sold into U.S. government agencies and federal contractors as approved, vetted hardware. A critical authentication bypass in a device purchased explicitly because it was supposed to be trustworthy is a different kind of problem.
The specific model families named in CISA's advisory are mid-level video surveillance products used in small to medium business environments, offices, and warehouses, some of which may be part of critical facilities.
What Makes This Worse Than the Headline Suggests
Coverage of this vulnerability has largely focused on the obvious: someone can watch your cameras. That is bad, but it is also the least interesting part of the attack surface here.
The real threat is what the camera is connected to.
Many industrial environments operate on "flat" networks — a legacy architecture predating IT/OT convergence as a recognized security concern, and often retained to minimize latency and reduce configuration complexity. This means once an attacker compromises a low-security IoT device like a smart sensor or a camera, there are no internal firewalls stopping them from pivoting laterally straight into the critical control systems that manage production lines.
Think about where Honeywell cameras are actually deployed. Warehouses. Data center facilities. Corporate campuses. Hospitals. Government buildings. Utilities. These are not isolated environments. In many deployments, the CCTV network shares infrastructure with — or runs adjacent to — IT networks that contain far more valuable targets: Active Directory, HR systems, ERP platforms, industrial control systems, and OT environments.
The convergence between the IT world's laptops, web applications, and hybrid workspaces and the OT world's factory and facility-bound control systems brings severe risk consequences. Attackers can "jump" air gaps between formerly physically isolated systems, making IoT devices like cameras and smart conference rooms risk catalysts that create novel entryways into core infrastructure. Microsoft documented exactly this pattern in a real incident where malware spread from a compromised contractor laptop through a connected industrial network during routine maintenance. The Honeywell scenario is the same chain with a different entry point.
The attack scenarios that actually matter are not the attacker watching your lobby camera. They are:
Reconnaissance before physical intrusion. An attacker studying live feeds over days or weeks can map guard patrol schedules, identify blind spots, track when specific personnel enter and leave, and time a physical breach with surgical precision. As Daniel dos Santos, VP of Research at Forescout, noted in the company's 2025 Threat Roundup, post-exploitation discovery activity now accounts for 91% of attacker behavior after initial compromise — up from just 25% in 2023 — confirming that reconnaissance is a primary objective, not an afterthought. Camera access accelerates that phase dramatically.
Evidence destruction during an active attack. Once an attacker has established persistence in your network through a secondary compromise, they can return to the CCTV system and delete or corrupt recorded footage from the period covering their intrusion. You come in the next morning with an incident and no video evidence.
Lateral movement to adjacent systems. Compromised CCTV systems can serve as entry points to corporate networks. NVRs and video management systems often store months of footage and run on the same network segment as the cameras. Ransoming surveillance archives at a hospital or government facility carries its own specific leverage.
Nation-state and advanced persistent threat use cases. Foreign intelligence operations targeting U.S. government facilities and critical infrastructure do not need zero-days when the front door is standing open. A camera in a cleared facility, a contractor's office, or an energy sector operation provides persistent visual access and a potential foothold that is almost never monitored with the same scrutiny as a workstation or server.
The Broader Context: IP Cameras Are Getting Hammered Right Now
This is not an isolated incident. It fits a documented and accelerating pattern.
Forescout's 2025 Threat Roundup analyzed over 900 million cyberattacks observed globally between January and December 2025 and found that exploits against IoT devices rose from 16% to 19%, with IP cameras and network video recorders remaining the most frequent targets within that category. The same report found an 84% surge in attacks using OT protocols, led by Modbus at 57%, Ethernet/IP at 22%, and BACnet at 8%.
ENISA's 2025 Threat Landscape, which analyzed 4,875 cybersecurity incidents recorded between July 2024 and June 2025, found that operational technology accounted for 18.2% of recorded cases — confirming that OT and adjacent device categories like surveillance infrastructure are firmly in the crosshairs.
The convergence of IT and OT environments was supposed to bring efficiency. It brought the attack surface along with it. As Bitsight Principal Research Scientist João Godinho summarized the trajectory: "As the number of IoT devices keeps increasing, and given their questionable supply chains, we'll likely keep more vulnerabilities in these devices. Threat actors will likely continue to take advantage of this to build their botnets for various purposes."
Camera vulnerabilities specifically have a track record of being weaponized at scale. Mirai — the botnet that took down large portions of the internet in 2016 — was built predominantly from compromised IP cameras and DVRs. The Verkada breach in 2021 gave attackers live access to 150,000 cameras across hospitals, prisons, police departments, schools, and Tesla manufacturing facilities. Axis Communications camera vulnerabilities have been a recurring research topic for years.
History of similar camera and encoder advisories shows rapid development of mass-scan tools and automated exploit scripts once device families and network fingerprints are public. Devices running the affected firmware versions are identifiable through passive scanning tools, meaning internet-exposed instances can be enumerated by anyone motivated to look. CISA reports no known exploitation of CVE-2026-1670 as of the advisory date. That window is closing.
The CWE-306 Problem Is Everywhere and Nobody Fixes It
CWE-306 — Missing Authentication for Critical Function — is not a novel or exotic vulnerability class. It maps directly to the OWASP Top 10 category for Identification and Authentication Failures (A07) and appears on MITRE's CWE Top 25 year after year. It is the same root cause behind some of the most catastrophic ICS/OT breaches on record. Developers build a convenient API endpoint, skip authentication because it is "internal" or because it "only handles password recovery," and ship it. The endpoint is then exposed to any device that can reach it on the network.
The pattern is consistent across industrial control systems, building automation, surveillance, and embedded devices: manufacturers prioritize feature delivery, treat network-accessible management APIs as low-risk because they assume network segmentation will contain them, and skip authentication on anything that seems administrative but not destructive.
That assumption has been wrong for years. A compromised security camera can open the way into core infrastructure, creating broader infrastructure security risks. The attack chain from IoT device to critical system is well-documented. One small weakness can spread failure across the entire network.
Honeywell has not published a public advisory at the time of writing. Their official guidance, per the CISA advisory, is to contact their support team directly for patch information at honeywell.com/us/en/contact/support. Patch availability and exploitation status will change — monitor the CISA advisory page directly for updates.
The Physical-to-Digital Attack Chain Nobody Talks About
Security teams have been told for years to worry about attackers going from digital to physical — ransomware knocking out manufacturing lines, hackers causing industrial accidents. CVE-2026-1670 runs the threat in the other direction.
An attacker who owns your cameras has already compromised your physical security. They know when your facility is unoccupied. They know where your badge readers are. They know where your network equipment is physically installed. They can watch you walk to the server room. They can observe your guard rotation and identify the window when no one is watching a particular corridor.
You want video systems separated from finance and payroll systems. Remote access to any of those environments should use a VPN, multi-factor authentication, and jump hosts — not ad hoc port forwarding. If an attacker compromises a single video system, consider the blast radius.
In a well-segmented environment, a compromised camera stays a compromised camera. In the real-world deployments where this vulnerability is most likely to be exploited, a compromised camera is a compromised network.
What You Actually Need to Do
Check your environment for the affected models and firmware versions. If you are running Honeywell I-HIB2PI-UL 2MP IP at firmware 6.1.22.1216 or any of the WDR_2MP_32M_PTZ_v2.0 variants across the SMB NDAA MVO-3, PTZ WDR 2MP 32M, or 25M IPC, you are exposed. Contact Honeywell support for patch guidance at honeywell.com/us/en/contact/support.
Network isolation is the most important immediate control. CISA's advisory is direct: minimize network exposure for control system devices, isolate them behind firewalls, and use updated VPN solutions when remote access is required. If your CCTV systems have management interfaces reachable from the general corporate network or from the internet, that needs to change today regardless of patch status.
Audit your recovery email addresses. Any account on an affected system may already have had its recovery email altered if the device has been internet-exposed. Verify the current recovery email on all accounts and rotate all credentials immediately.
Enable logging on your CCTV systems and NVRs. You need to be able to detect account configuration changes. Unexpected modifications to recovery emails or account settings are your indicator of compromise for this specific exploit chain.
Hunt for existing compromise. Any unexpected changes to account recovery settings, login anomalies, or configuration modifications should be treated as potential indicators of compromise and investigated without delay.
Long term, build the segmentation you should already have. Camera networks belong on isolated VLANs with strict access control lists. Management interfaces should not be reachable from general IT segments. Remote access to CCTV management should require MFA and go through a jump host. This is not new guidance. It is guidance that consistently fails to get implemented because surveillance systems are treated as physical security infrastructure rather than networked computing devices.
"They are networked computing devices. They are running embedded Linux. They have management APIs. They can be compromised, and when they are compromised, they can be used to compromise everything adjacent to them." — CyberSpit
Bottom Line
CVE-2026-1670 is a CVSS 9.8 vulnerability with no authentication requirement, no user interaction needed, and no special attacker skill required. The affected cameras are deployed worldwide in commercial facilities, government buildings, warehouses, and small-to-medium businesses. Honeywell has not published a public patch as of this writing, and no exploitation has been confirmed in the wild — yet. CVE-2026-1670 is not yet on CISA's Known Exploited Vulnerabilities (KEV) catalog; organizations that use KEV as a patching priority signal should not let that create complacency — KEV inclusion is a lagging indicator, and the simplicity of this exploit chain means the window between disclosure and active exploitation is likely short.
The attack chain is three steps: reach the device, call the endpoint, take the account. For devices internet-exposed or reachable from an unsegmented network, an external attacker needs nothing more. Everything after that depends on what the attacker decides to do with camera access — whether that is watching your facility for reconnaissance, deleting evidence of a separate intrusion, or using the device as a pivot point to go deeper into your network.
The cameras watching your building are now watching your network too. Make sure you are watching them back.
- CISA Advisory ICSA-26-048-04 — cisa.gov
- BleepingComputer: Critical infra Honeywell CCTVs vulnerable to auth bypass flaw
- Security Affairs: CISA alerts to critical auth bypass CVE-2026-1670 in Honeywell CCTVs
- Forescout 2025 Threat Roundup Report
- ENISA Threat Landscape 2025
- Microsoft Cyber Signals Issue 3: The Convergence of IT and OT
- Bitsight 2026 Cybersecurity Predictions