CVE-2026-1670 is a critical security vulnerability identified in the Honeywell I-HIB2PI-UL 2MP IP device, specifically in version 6.1.22.1216. The root cause is a missing authentication mechanism on a critical API endpoint that handles password recovery functions. This unauthenticated API endpoint allows an attacker to remotely change the recovery email address associated with the "forgot password" feature. By altering this email, an attacker can intercept password reset communications, potentially gaining unauthorized access to the device or associated management interfaces. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), highlighting the absence of proper access controls on sensitive operations. The CVSS 4.0 base score of 9.3 reflects the vulnerability’s high severity, with attack vector being network-based (AV:N), no attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H), indicating that exploitation could lead to significant compromise of device security and operational disruption. Although no public exploits are currently known, the vulnerability’s nature and ease of exploitation make it a prime target for attackers. Honeywell devices like the I-HIB2PI-UL 2MP IP are often deployed in industrial control systems, building automation, and security surveillance, making this vulnerability particularly critical in operational technology (OT) environments. The lack of authentication on such a critical function exposes organizations to risks including unauthorized device control, data exfiltration, and potential pivoting into broader network environments. The vulnerability was published on February 17, 2026, and no patches have been linked yet, emphasizing the need for immediate risk mitigation.

For European organizations, the impact of CVE-2026-1670 is substantial, especially those operating in industrial sectors, critical infrastructure, and building automation where Honeywell I-HIB2PI-UL 2MP IP devices are deployed. Successful exploitation could lead to unauthorized control over device management functions, enabling attackers to reset passwords and gain persistent access. This compromises confidentiality by exposing sensitive operational data and credentials, integrity by allowing unauthorized configuration changes, and availability by potentially disrupting device functionality or triggering denial of service. Given the device’s role in security and surveillance, exploitation could also undermine physical security measures. The vulnerability’s network-based attack vector and lack of required privileges mean attackers can exploit it remotely without authentication or user interaction, increasing the risk of widespread attacks. European organizations may face regulatory and compliance consequences if such vulnerabilities lead to breaches affecting personal data or critical services. Additionally, the potential for attackers to use compromised devices as footholds within networks raises the risk of lateral movement and broader cyberattacks.

1. Immediate deployment of vendor-provided patches or firmware updates once available is critical to remediate the vulnerability. 2. Until patches are released, implement strict network segmentation to isolate Honeywell I-HIB2PI-UL 2MP IP devices from untrusted networks, including the internet. 3. Restrict access to device management interfaces using firewalls and access control lists (ACLs) to allow only trusted IP addresses and networks. 4. Monitor network traffic for unusual API calls or attempts to access password recovery functions, employing intrusion detection/prevention systems (IDS/IPS) tuned for Honeywell device signatures. 5. Enforce multi-factor authentication (MFA) on all management interfaces where possible to add an additional layer of security. 6. Conduct regular audits of device configurations and recovery email addresses to detect unauthorized changes. 7. Educate operational technology (OT) and security teams about this vulnerability to ensure rapid incident response capability. 8. Consider deploying compensating controls such as VPNs or jump servers to access devices securely. 9. Maintain an inventory of all affected devices to prioritize remediation efforts effectively.