CISA has warned that a critical security vulnerability (CVE-2026-1670) has been identified in four Honeywell CCTV camera models.
“Successful exploitation of this vulnerability could lead to account takeovers and unauthorized access to camera feeds; an unauthenticated attacker may change the recovery email address, potentially leading to further network compromise,” the advisory said.
The flaw is classified as “missing authentication for critical function” and has been given a CVSS severity score of 9.8.
According to CISA, the vulnerability stems from an unauthenticated API endpoint that lets bad actors remotely change the “forgot password” recovery email address associated with a camera account.
CISA advises users to take proactive steps to reduce the likelihood of exploitation of this vulnerability. Firstly, by minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Next, by placing control system networks and remote devices behind firewalls and segregating them from business networks.
If remote access is necessary, using more secure methods, such as Virtual Private Networks (VPNs), while understanding that VPNs themselves have vulnerabilities and should be updated to the latest version available. Also understanding that VPN is only as secure as the devices connected to it.
Conducting proper impact analysis and risk assessment before implementing defensive actions.
CISA also offers a page for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products are available for reading and downloading.
Massive Security Blind Spots
Nick Mo, CEO & Co-founder of Ridge Security Technology, said: “IoT assets like cameras and smart printers remain massive security blind spots. While organizations obsess over protecting “crown jewel” databases, attackers exploit these overlooked devices as easy entry points.”
Mo added that this shows how a single vulnerability in a CCTV system can compromise critical infrastructure. “Whether it’s a sophisticated exploit or a basic failure—like the 2025 Louvre heist where the password was just “Louvre”—the risk is the same: neglected hardware creates an open door.”
“Security testing must include every connected device. Find the holes before the hacker does,” he added.
Protection Becomes a Way into the Network
Michael Bell, Founder and CEO of Suzu Labs, commented: “The device you installed to protect the building just became the way into the network. CVE-2026-1670 lets an unauthenticated attacker change the password recovery email on affected Honeywell cameras and take over the account, no credentials needed. These are NDAA-compliant models that go into government facilities and critical infrastructure, and the vulnerability is an open API endpoint on a password reset function.
“A physical security contractor puts the cameras up, plugs them into whatever network is available, and IT may never know they’re there. Nobody patches a device nobody knows they own, and nobody segments a device that isn’t in the asset inventory. CISA hasn’t seen active exploitation yet, so there’s still a window to get ahead of this one.”
A Fundamental Lapse in Secure-by-design Principles
John Carberry, Solution Sleuth at Xcape Inc, added that this vulnerability is a reminder that the surveillance systems safeguarding our critical infrastructure are frequently exposed to the public Internet. “By leaving a “forgot password” API endpoint unauthenticated, Honeywell inadvertently enabled remote hijacking of device accounts. Attackers could simply redirect recovery emails to themselves, gaining unauthorized access.
Boasting a near-perfect CVSS score of 9.8, it grants attackers a straightforward route from digital compromise to physical surveillance. “This affects NDAA-compliant systems in government and industrial sectors. For Security Operations Center (SOC) teams, the presence of these devices on public-facing networks without VPNs or stringent access controls now constitutes an immediate liability.”
Carberry said: “This issue highlights a fundamental lapse in secure-by-design principles for hardware entrusted with protecting our most sensitive assets. As we increasingly adopt “smart” security solutions for our perimeters, it’s crucial to understand that an unpatched camera is not only a guardian, but it can also become an open portal for pivoting to other sensitive systems.
“Organizations utilizing affected models must prioritize firmware updates, limit external access through network segmentation, and diligently monitor for any unauthorized configuration changes.
“When your security cameras can be commandeered remotely, the watcher becomes the watched.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.