—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Security Bypass Vulnerability in Honeywell CCTV products

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Systems Affected

Honeywell I-HIB2PI-UL 2MP IP 6.1.22.1216 

Honeywell SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0

Honeywell PTZ WDR 2MP 32M WDR_2MP_32M_PTZ_v2.0

Honeywell 25M IPC WDR_2MP_32M_PTZ_v2.0

Overview

A vulnerability has been identified in Honeywell CCTV products that could allow unauthenticated remote attacker to bypass authentication controls, take over administrative accounts, and gain unauthorized access to video feeds.

Target Audience:

Organizations and Individuals using Honeywell CCTV products.

Risk Assessment:

High risk of unauthorized access to sensitive data.

Impact Assessment:

Potential for account takeover, access to live and recorded surveillance feeds.

Description

Honeywell CCTV products are widely used for video surveillance in various sectors, providing critical security services. These systems include both hardware and software components, such as cameras and video management platforms, that are essential for monitoring and recording activities.

A vulnerability exists in Honeywell CCTV products due to authentication error during password recovery mechanism. This vulnerability could allow an attacker to remotely change the recovery email address used for administrative accounts without authentication.

Successful exploitation of this vulnerability could lead to account takeovers and unauthorized access to camera feeds.

Solution

Apply appropriate updates as mentioned:

https://www.honeywell.com/us/en/contact/support

References

Bleeping Computer

https://www.bleepingcomputer.com/news/security/critical-infra-honeywell-cctvs-vulnerable-to-auth-bypass-flaw/

CVE Name

CVE-2026-1670

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmcXtEACgkQ3jCgcSdc

ys9L5w//XmSdnboMQX0nB2jIsGEVD9lByzVeJw99/n4ep8P4FoBjEoEXaMutXiN8

OTM/V232ElkKo0xsiDMLvwLHw3Nyr0OYj1DeF3dDZZiy2UdfNyJ7nWL3BOGJVDye

9XUHvMArD5ANtBbfbD1R/G5/nAjhmgf8YWaDhzaH+eq7MO/la44Tt0PhKiNf4O15

kAkekK4jdS5h6FkC4BImvtHpPoqdlFupH/p470zUbiG88nhJ4u4GmrYDpCzbM7rY

Fs6rnrcZCWnhTOTndgJ4uYyj+TBJLEzBvqfI2HBl3mEG+xmN5QDJdBeqKEUtz3GP

SV795Uyc7B2INwTtMpTvsnpVW22R54j8Hi5sTFAAWqPaIsJOC6/xkuRuqkMLqDav

Qj6fRPosu8S1J8Hf8r2LkZa95qPT4vvkPp4qhoB27VAifUk/hpjN2jdVF6rL+L5T

8L9RBnW69DkxiE3EIu4SDppmhXT1K7tTDORQEtv+U4/VZOT3k9wnet/u7k+KieJD

OMoC9YQBkDa9+tvOzJYMRiM7m8dkNoXkSA+KsmRHB1hHGNFRHaUowZMMC2LWZHwo

MB4TGj3tgLsmokIst4u19nllPWvM+1ATPOm/0H5CygSCEyBQYpf5vsNjkrLJ3HvC

A9oOO/jTvIrrGPuJWEm+PV05F+NgL+pXjwRBBQGUDmEgqGAi63M=

=cFUv

—–END PGP SIGNATURE—–