CVE-2026-1670 Honeywell CVE debrief

Who should care

Organizations that still operate Honeywell HIB2PI / I-HIB2PI-UL CCTV cameras, especially security teams, OT/ICS operators, facility managers, and integrators responsible for devices placed on production or building networks. Any environment that relies on camera-managed account recovery should treat this as high priority because the advisory describes unauthenticated remote alteration of recovery settings.

Technical summary

The advisory states that the affected product is vulnerable to an unauthenticated API endpoint exposure. An attacker may be able to remotely change the password-recovery email address without authentication. The supplied CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which aligns with a network-reachable, no-authentication condition and critical impact potential. The advisory revision history shows the issue was initially published on 2026-02-17 and updated on 2026-03-12 with changed affected products and a note that the product is discontinued.

Defensive priority

High. The combination of unauthenticated access, remote effect on account recovery, and critical CVSS scoring warrants immediate containment review. Because Honeywell states the product is discontinued, remediation may depend more on isolation, replacement planning, and support-guided mitigation than on a straightforward patch.

Recommended defensive actions

• Inventory any deployed Honeywell HIB2PI / I-HIB2PI-UL CCTV camera instances and confirm whether they match the affected scope in the advisory.
• Place affected devices behind a firewall and keep them off untrusted networks, following Honeywell’s and CISA’s protected-environment guidance.
• Contact Honeywell customer service and technical support for patch, replacement, or current-version guidance.
• Review account recovery settings and change-management records for unauthorized updates to the forgot-password recovery email address.
• Apply CISA ICS recommended practices and defense-in-depth guidance to reduce exposure around device administration and management interfaces.
• If the product is no longer required, plan for removal or replacement because the advisory states it has been discontinued.

Evidence notes

Source evidence comes from the CISA CSAF advisory ICSA-26-048-04 and its revision history. The advisory title is "Honeywell HIB2PI CCTV Camera (Update B)"; the description explicitly says the affected product is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the "forgot password" recovery email address. The source also records the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, publishedAt 2026-02-17T07:00:00.000Z, modifiedAt 2026-03-12T06:00:00.000Z, and remediation notes stating the product has been discontinued since April 2025. Vendor metadata in the prompt is low confidence, so this debrief relies on the advisory’s product naming rather than expanding attribution beyond the supplied source corpus.

Official resources