CVE-2026-1670
published 2026-02-17CVE-2026-1670: The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.83%
53.0th percentile
The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| honeywell | 25m_ipc | — | — |
| honeywell | i-hib2pi-ul_2mp_ip | — | — |
| honeywell | ptz_wdr_2mp_32m | — | — |
| honeywell | smb_ndaa_mvo-3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target: unauthenticated API endpoint on Honeywell HIB2PI/HDZ Series CCTV cameras that allows changing the 'forgot password' recovery email address without authentication (CWE-306). Monitor for unexpected API calls to password-recovery/email-change endpoints from unauthenticated sessions. ↗
- →Affected firmware versions to fingerprint on the network: I-HIB2PI-UL 2MP IP firmware 6.1.22.1216, SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0, PTZ WDR 2MP 32M WDR_2MP_32M_PTZ_v2.0, 25M IPC WDR_2MP_32M_PTZ_v2.0. Identify these devices via banner grabbing or asset inventory. ↗
- →CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-reachable, no credentials required, no user interaction. Prioritize blocking external/internet access to these devices and alert on any unauthenticated HTTP requests to account/password-recovery API paths. ↗
- ·All firmware versions of Honeywell I-HIB2PI-UL are affected (vers:all/*); the product has been discontinued since April 2025, so no firmware patch may be forthcoming — contact Honeywell support for guidance. ↗
- ·No known public exploitation has been reported as of the advisory date; however, the unauthenticated nature (no credentials, no interaction) makes opportunistic exploitation straightforward once devices are internet-exposed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-74hh-vrfx-9235: The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password"
ghsa_unreviewed·2026-02-18
CVE-2026-1670 [CRITICAL] CWE-306 GHSA-74hh-vrfx-9235: The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password"
The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.
CISA ICS
Honeywell HIB2PI and HDZ Series CCTV Cameras (Update B)
cisa_ics·2026-03-12·CVSS 9.8
[CRITICAL] Honeywell HIB2PI and HDZ Series CCTV Cameras (Update B)
ICS Advisory
##
Honeywell HIB2PI and HDZ Series CCTV Cameras (Update B)
Last RevisedMarch 12, 2026
Alert CodeICSA-26-048-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of this vulnerability could lead to account takeover and unauthorized access to camera feeds.
The following versions of Honeywell HIB2PI CCTV Camera (Update B) are affected:
- I-HIB2PI-UL vers:all/* (CVE-2026-1670)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Honeywell
| Honeywell HIB2PI CCTV Camera (Update B)
| Missing Authentication for Critical Function
## Background
- Critical Infrastructure Sectors: Commercial Facilities
- Countries/Areas Deployed: India
- Company Headquarters Location: India
No detection rules found.
No public exploits indexed.
2026-02-17
Published