The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a critical vulnerability in multiple Honeywell CCTV products that allows unauthorized access to feeds or account hijacking.
Discovered by researcher Souvik Kanda and tracked as CVE-2026-1670, the security issue is classified as “missing authentication for critical function,” and received a critical severity score of 9.8. The flaw allows an unauthenticated attacker to change the recovery email address associated with a device account, enabling account takeover and unauthorized access to camera feeds.
The affected product is vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the “forgot password” recovery email address,” CISA says. Honeywell is a major global supplier of security and video surveillance equipment with a broad range of CCTV camera models and related products deployed in commercial, industrial, and critical infrastructure settings worldwide.
The company offers many NDAA-compliant cameras that are suitable for deployment in U.S. government agencies and federal contractors. The specific model families named in CISA’s advisory are mid-level video surveillance products used in small to medium business environments, offices, and warehouses, some of which may be part of critical facilities.
CISA stated that as of February 17th there were no known reports of public exploitation specifically targeting this vulnerability.
Nonetheless, the agency recommends minimizing network exposure of control system devices, isolating them behind firewalls, and using secure remote access methods such as updated VPN solutions when remote connectivity is necessary.
