Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical vulnerability in Honeywell CCTV products. The flaw, tracked as CVE-2026-1670, carries a near-maximum severity score of 9.8 (CVSS) and allows attackers to hijack camera feeds without ever knowing the administrator’s password.
The vulnerability stems from a basic but devastating oversight: an exposed API endpoint that fails to check if a user is authenticated before processing sensitive requests.
The core of the issue lies in the password recovery mechanism. Typically, resetting a password requires some proof of identity or access to a pre-verified email. However, on affected Honeywell devices, the API allows an unauthenticated user to modify the recovery email address remotely.
“The affected product is vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the ‘forgot password’ recovery email address,” the advisory warns.
Once the attacker sets the recovery email to an address they control, they can simply initiate a standard password reset, lock out the legitimate administrators, and seize full control of the device.
The consequences of a successful exploit are immediate and severe. Attackers gain unauthorized access to live camera feeds, turning security tools into surveillance weapons.
“Successful exploitation of this vulnerability could lead to account takeovers and unauthorized access to camera feeds,” the advisory states.
However, the risk extends beyond privacy. Compromised IoT devices like CCTV cameras are often used as beachheads for lateral movement. By gaining a foothold on the camera, attackers can pivot to other devices on the same network.
“An unauthenticated attacker may change the recovery email address, potentially leading to further network compromise.”
The advisory lists several specific models and firmware versions that are vulnerable to this attack. Organizations using the following hardware should audit their inventory immediately:
- Honeywell I-HIB2PI-UL 2MP IP (Version 6.1.22.1216)
- Honeywell SMB NDAA MVO-3 (Version WDR_2MP_32M_PTZ_v2.0)
- Honeywell PTZ WDR 2MP 32M (Version WDR_2MP_32M_PTZ_v2.0)
- Honeywell 25M IPC (Version WDR_2MP_32M_PTZ_v2.0)
Given the CVSS score of 9.8 and the low complexity required to exploit this flaw, administrators are urged to isolate affected cameras from the public internet immediately and apply vendor-supplied firmware updates as soon as they become available.
Related Posts:
- CVE-2025-2605 (CVSS 9.9): Critical Vulnerability Found in Honeywell MB-Secure Alarm Panels
- Hackers attacked into school CCTV system in British
- Critical CCTV Flaw (CVE-2025-13607) Risks Video Feed Hijack & Credential Theft via Missing Authentication
- Google Discover Evolves into a Multimedia Hub, Integrating Instagram, X, and YouTube
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
