Critical vulnerability in Honeywell cameras allows you to take account control and spy on unauthenticated transmissions

A serious vulnerability has been identified in several models of Honeywell cameras and video surveillance equipment, and the United States Infrastructure and Cybersecurity Agency (CISA) has issued a warning to administrators and customers. The ruling, identified by researcher Souvik Kanda and registered as CVE-2026-1670, receives a critical severity score of 9.8: in practical terms, it allows an unauthenticated attacker to manipulate key elements of the account recovery process and thus take control of device accounts and access to video transmissions.

At the heart of the problem is an API endpoint that does not require authentication for a sensitive function: change the email address associated with the password recovery mechanism. Taking advantage of this weakness, an attacker can replace the recovery direction with one under his control and then reuse the restoration processes to take over the account. This type of unauthorized access is particularly worrying when we talk about cameras deployed in critical offices, warehouses or facilities, because it involves the possibility of espionage, manipulation of recording or removal of evidence.

The CISA itself describes the nature of the risk and lists the affected product families; among the models named are several technical references of IP cameras and medium-range PTZ devices that Honeywell markets for small and medium-sized enterprises as well as for industrial environments. You can check the official CISA notice on your industrial cybersecurity ad page: CISA ICSA-26-048-04. For the public reference of the vulnerability identifier there is also the entry to MITRE: CVE-2026-1670 (MITRE).

Honeywell is a global supplier of security and video solutions, and also markets cameras certified as NDAA compatible for U.S. government environments. Although the company has not yet published a specific technical bulletin for this failure, its support channel is open to customers who need guidance on patches or mitigation: Honeywell support. Meanwhile, security officials must act with caution and assume that remote access to these equipment can represent an exploitable vector.

According to CISA's notification, no public evidence of active exploitation of this vulnerability had been reported until 17 February. This lack of evidence does not mean that the risk is lower: on the contrary, many intrusions go unnoticed for a long time. This is why the agency recalls practical and proven measures to reduce the attack surface: minimize network exposure of control devices, place them behind firewalls and demand remote access through secure and up-to-date channels, such as corporate VPNs kept up to date. More general guidance on good practice for IoT devices and critical infrastructure is available on the CISA website: CISA Guide to the Protection of Control Systems and in cybersecurity resources for connected devices: Good IoT practices.

What should the administrators and owners of affected cameras do now? The ideal is to keep calm and act in an orderly manner: check inventories to identify whether the models identified by CISA are used; restrict direct remote access from the Internet to these equipment; review access records and alerts to detect abnormal activities; and, if it is essential to allow remote access, do so only through safe tunnels and with strong authentication. It is also recommended to rotate credentials and verify the mail addresses associated with the device accounts, in case someone had already tried to modify them.

It is also appropriate to coordinate with the supplier. Although Honeywell has not yet issued a specific public patch for CVE-2026-1670, its support may provide temporary indications, alternative solutions or mitigation plans until an update is released. You can contact them through the support channel we mentioned above. Communication with the manufacturer is key to receiving official instructions and avoiding false solutions that could make the situation worse.

In the long term, this incident recalls an elementary lesson: video surveillance devices are part of the physical and cybersecurity ecosystem, and their management requires coherent policies and controls. From segmenting networks to applying an asset inventory and regular updates, through identity management and centralized event registration, cyberhygiene practices significantly reduce the risk of intrusion. If you want to deepen on recommended controls and defensive measures for critical infrastructure and control systems, the CISA publishes useful and up-to-date material: Defence measures and guides.

In short, CVE-2026-1670 represents a high-impact vulnerability in several Honeywell teams that allows account hijacking by an unauthenticated endpoint for password recovery management. Although no public attacks have been confirmed to date as indicated by CISA, prudence dictates isolating and protecting these devices, auditing configurations and credentials, and contacting Honeywell to receive official recommendations and patches. Maintaining surveillance and implementing containment measures will now help to avoid major problems later.