CVE-2026-1670 identifies a critical security flaw in Honeywell's I-HIB2PI-UL 2MP IP camera firmware version 6.1.22.1216. The vulnerability arises from an unauthenticated API endpoint that allows remote attackers to change the "forgot password" recovery email address without any authentication or user interaction, violating secure design principles by missing authentication for a critical function (CWE-306). This flaw can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability at a high level (VC:H, VI:H, VA:H), as attackers can hijack account recovery mechanisms, potentially locking out legitimate users and gaining persistent unauthorized access. The vulnerability does not require any prior authentication or interaction, making it highly exploitable. Although no public exploits are currently known, the critical nature of the flaw and the widespread use of Honeywell IP cameras in industrial, commercial, and critical infrastructure environments elevate the risk. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts. This vulnerability underscores the importance of securing API endpoints and enforcing strict authentication controls on sensitive functions such as password recovery.

The impact of CVE-2026-1670 is severe for organizations using the affected Honeywell IP camera firmware. Attackers exploiting this vulnerability can remotely change the password recovery email address, effectively hijacking user accounts and bypassing authentication controls. This can lead to unauthorized access to camera feeds, manipulation of device settings, and potential disruption of security monitoring operations. In critical infrastructure or industrial environments, compromised cameras can serve as entry points for broader network intrusion, espionage, or sabotage. The confidentiality of video streams and sensitive operational data is at risk, as is the integrity of device configurations. Availability may also be affected if attackers lock out legitimate users or disrupt device functionality. The ease of exploitation and lack of required privileges or user interaction increase the likelihood of attacks, potentially resulting in widespread compromise of security systems relying on these devices.

1. Immediately isolate affected devices from untrusted networks to reduce exposure until a patch is available. 2. Monitor network traffic for unusual API calls targeting password recovery endpoints and implement intrusion detection rules specific to this vulnerability. 3. Enforce network segmentation to limit access to IP camera management interfaces to trusted administrators only. 4. Implement multi-factor authentication (MFA) on management consoles and any associated user accounts to reduce the impact of compromised recovery mechanisms. 5. Regularly audit and review account recovery email addresses and device configurations for unauthorized changes. 6. Engage with Honeywell support to obtain firmware updates or patches addressing this vulnerability as soon as they are released. 7. Consider deploying Web Application Firewalls (WAFs) or API gateways that can enforce authentication and rate limiting on exposed API endpoints. 8. Educate security teams and administrators about this vulnerability and the importance of securing device management interfaces. 9. Maintain an incident response plan to quickly address potential exploitation attempts and recover compromised accounts and devices.