Intro

CISA has issued a critical advisory for CVE-2026-1670 affecting multiple Honeywell CCTV models. The flaw allows unauthenticated attackers to modify account recovery email settings via an exposed API endpoint, enabling full account takeover and unauthorized access to camera feeds. While no public exploitation has been confirmed as of February 17, exposure risk remains significant for internet-accessible devices.

📌 CVE Context

– Products & versions affected:
I-HIB2PI-UL 2MP IP 6.1.22.1216
SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0
PTZ WDR 2MP 32M WDR_2MP_32M_PTZ_v2.0
25M IPC WDR_2MP_32M_PTZ_v2.0

– Disclosure timeline: Reported by researcher Souvik Kanda; CISA advisory issued February 2026
– Attack vector: Remote network-based
– Authentication: None required
– Impact: Account takeover, unauthorized video feed access

CVSS Metric Breakdown (v4.0) - CVE-2026-1670 (Missing Authentication for Critical Function)
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality Impact (VC): High
Integrity Impact (VI): High
Availability Impact (VA): None
Scope Changed (SC): No
Safety Impact (SI): None
Automation (SA): Yes
Exploit Maturity: Not publicly weaponized
Base Score: 9.8 (Critical)

No confirmed exploit kits or public PoC tools are currently circulating. However, exposed CCTV management interfaces remain historically attractive targets for botnets and surveillance hijacking campaigns.

🎯 EPSS Scoring

CVE-2026-1670
EPSS Probability: 0.00039
EPSS Percentile: 11.863%
Model Date: February 2026

🔬 Exploitation Detail

– Attacker identifies exposed Honeywell CCTV management interface
– Sends crafted request to unauthenticated API endpoint
– Modifies “forgot password” recovery email field
– Initiates password reset
– Gains administrative access to camera system

POST /api/account/recovery-email HTTP/1.1
Host: target-device-ip
Content-Type: application/json
{
  "new_recovery_email": "attacker@malicious-domain.com"
}

The vulnerability resides in the device’s API authentication logic layer, where authorization checks are absent for sensitive account modification functions.

📎 Attacker Behavior Snapshot

– Attacker sends unauthenticated POST request to recovery endpoint
– Device processes request without validating session or token
– Email field is updated in account database
– Password reset workflow grants attacker control

🧩 Why This Matters

This vulnerability highlights how embedded device APIs often expose administrative functionality without sufficient authentication validation. In surveillance deployments, compromise extends beyond data theft into physical security intelligence and operational visibility.

Exploitation results in:

• Unauthorized live camera feed access
• Administrative account takeover
• Surveillance intelligence exposure across facilities

🧩 MITRE ATT&CK Mapping

Initial Access: T1190 – Exploit Public-Facing Application
Persistence: T1098 – Account Manipulation
Collection: T1125 – Video Capture

🧪 Detection Rules

YARA Rule (Memory/Doc/PCAP)

rule Honeywell_CCTV_API_Abuse
{
    strings:
        $api1 = "/api/account/recovery-email"
        $json1 = "new_recovery_email"
    condition:
        any of ($api*)
}

Suricata or Zeek (Network)

alert http any any -> any any (
    msg:"Honeywell CCTV Recovery Email Modification Attempt";
    content:"/api/account/recovery-email";
    http.uri;
    classtype:attempted-admin;
    sid:90001670;
    rev:1;
)

Sigma Rule (SIEM/EDR)

title: Honeywell CCTV Recovery Email Change
logsource:
  product: network
  category: webserver
detection:
  selection:
    request_uri|contains: "/api/account/recovery-email"
    request_method: "POST"
  condition: selection
level: high

🔎 Detection Strategies

✅ Network Detection:

• Monitor exposed CCTV interfaces on public IP ranges
• Detect POST requests to account management API endpoints
• Alert on password reset requests from unfamiliar IP geolocations

✅ Endpoint Detection:

• Audit device configuration changes
• Monitor administrative login events following recovery email changes
• Correlate configuration modifications with external IP access logs

⚡ Splunk Query

index=network_logs sourcetype=http
uri_path="/api/account/recovery-email" method=POST
| stats count by src_ip, dest_ip, user_agent

🛠️ SOC Detection Strategy

– Treat recovery email modification events as high-severity alerts
– Correlate configuration change logs with authentication logs
– Escalate immediately if device is externally exposed
– Validate whether VPN or firewall controls were bypassed

🛠️ Tools & Techniques

Tool | Usage
Sysmon | Detect unusual configuration change triggers if integrated
Velociraptor | Validate endpoint log integrity and device state
Zeek | HTTP API monitoring
Sigma/YARA | Signature development for recovery endpoint abuse

🛡️ Mitigation & Response

– Contact Honeywell support for patch guidance
– Remove direct internet exposure immediately
– Place devices behind firewall with strict ACLs
– Enforce VPN-based remote access only
– Rotate all administrative credentials
– Enable MFA if supported
– Monitor for unauthorized configuration changes

📋 Incident Response Snippets

– Review device configuration logs for recovery email changes
– Audit authentication logs for suspicious IP addresses
– Validate camera firmware version
– Inspect firewall logs for external access attempts
– Reset credentials and validate firmware integrity

📚 Suggested Reading & External References

– CISA Advisory for CVE-2026-1670
– Honeywell Security Support Documentation
– MITRE ATT&CK Framework (T1190, T1098, T1125)

🗾️ Final Thoughts

Unauthenticated API exposure enables direct account takeover and live surveillance compromise. The most effective action is immediate network isolation of exposed devices and coordinated patch validation.

Published: February 19, 2026