Back to Intelligence

Critical Honeywell CCTV Flaw Exposes Feeds to Remote Hijacking

SA
Security Arsenal Team
March 1, 2026
5 min read

In physical security, the eyes on the ground are just as critical as the firewalls on the wire. But what happens when those eyes turn against you? A newly identified critical vulnerability affecting Honeywell HIB2PI and HDZ Series CCTV cameras is doing just that, giving unauthenticated attackers the keys to your surveillance kingdom.

Introduction

Security Arsenal is tracking a severe security flaw (CVE-2026-1670) that impacts Honeywell HDZ322DI, HC20WZ2R25, and I-HIB2PI-UL camera models. With a CVSS score of 9.8, this vulnerability is as bad as it gets. It allows an attacker to bypass authentication entirely and seize control of the device’s recovery mechanism. If your organization relies on these specific models for safety or operational monitoring, you are currently exposed to a high risk of privacy breach and network compromise.

Vulnerability Analysis

The Mechanics of CVE-2026-1670

At the heart of this issue is CWE-306: Missing Authentication for Critical Function. This isn't a complex buffer overflow or a memory corruption bug; it is a fundamental logic error in how the camera’s web interface handles password recovery.

Typically, a “forgot password” workflow requires the user to be already logged in, or at least verify ownership via a token sent to the existing email. In this case, the API endpoint responsible for changing the recovery email address is exposed to the world without requiring any authentication checks.

The Attack Vector

The attack chain is distressingly simple and requires zero prior foothold in the network:

  1. Scanning: The attacker scans the internet or internal networks for the specific web interfaces of Honeywell HIB2PI and HDZ series devices.
  2. API Exploitation: Upon finding a target, the attacker sends a crafted HTTP request to the unauthenticated endpoint.
  3. Account Hijacking: The request modifies the “recovery email” address to one controlled by the attacker.
  4. Access: The attacker initiates a password reset, receives the token, and resets the admin password.
  5. Compromise: With admin credentials, the attacker gains live access to video feeds, can disable recording, and potentially pivot further into the network.

Because the vulnerability is in the recovery mechanism itself, simply having a strong password on the camera offers no protection.

Detection and Threat Hunting

Given that this is an IoT device vulnerability, detection relies heavily on identifying anomalous behavior at the network perimeter or on the internal LAN. Security teams should hunt for unauthorized POST requests to camera management interfaces.

KQL Queries (Microsoft Sentinel / Defender)

Use the following queries to hunt for suspicious API interactions with Honeywell devices in your environment. This assumes you are ingesting web proxy logs or firewall traffic.

Script / Code
// Hunt for unauthenticated POST requests to Honeywell camera endpoints
// Adjust DeviceProduct and RequestURL fields based on your specific log schema
DeviceNetworkEvents
| where ActionType == "HttpRequest"
| where RequestMethod == "POST"
| where DeviceProduct has "Honeywell"
| where RequestURL has "/api" // Broaden or narrow based on known endpoint paths
| where tostring(AdditionalFields) !contains "authorization" // Hunting for lack of auth headers
| project Timestamp, SrcIpAddr, DstIpAddr, DeviceProduct, RequestURL, RequestMethod
| order by Timestamp desc


// Detect successful password changes or account modifications
// This looks for 200 OK responses on configuration endpoints
CommonSecurityLog
| where DeviceVendor == "Honeywell"
| where RequestAction == "POST" and DestinationPort in (80, 443, 8080)
| where RequestURL contains "email" or RequestURL contains "recovery"
| where SentBytes > 0 and ReceivedBytes > 0 // Successful transaction
| summarize count() by SourceIP, DestinationIP, RequestURL

Asset Discovery Script (Python)

To mitigate, you must first know if you have these devices. The following Python script scans a specified IP range for open web services that identify themselves as Honeywell cameras. Note: Use this only on networks you own or have explicit permission to scan.

Script / Code
import requests
import ipaddress
import socket
from concurrent.futures import ThreadPoolExecutor

# Target network range (CIDR notation)
NETWORK_CIDR = "192.168.1.0/24" 
TIMEOUT = 2

def check_honeywell_camera(ip):
    try:
        # Attempt to connect to common HTTP ports
        for port in [80, 443, 8080]:
            url = f"http://{ip}:{port}"
            try:
                response = requests.get(url, timeout=TIMEOUT)
                # Check server header or title content for identifiers
                server_header = response.headers.get('Server', '').lower()
                content_text = response.text.lower()
                
                if 'honeywell' in server_header or 'honeywell' in content_text:
                    print(f"[+] Potential Honeywell Device found at: {url}")
                    print(f"    Server Header: {response.headers.get('Server')}")
                    return url
            except requests.RequestException:
                continue
    except Exception as e:
        pass
    return None

def main():
    print(f"[*] Scanning network: {NETWORK_CIDR} for Honeywell devices...")
    network = ipaddress.ip_network(NETWORK_CIDR)
    
    with ThreadPoolExecutor(max_workers=50) as executor:
        executor.map(check_honeywell_camera, network.hosts())
    
    print("[*] Scan complete.")

if __name__ == "__main__":
    main()

Mitigation and Remediation

The remediation for this flaw is straightforward, but urgency is paramount.

  1. Contact Vendor Support: Honeywell has not yet released a public automated patch. Affected users must contact Honeywell Customer Support immediately via their support portal to obtain specific patch information or firmware updates.
  2. Network Isolation (Immediate): Until a patch is applied, these cameras must not be accessible from the internet. Place them behind a firewall and ensure they are on an isolated VLAN, separated from critical business systems.
  3. Disable Remote Access: If you do not require remote viewing, disable port forwarding to these devices immediately. If remote access is strictly necessary, ensure it is tunneled through a secure VPN with MFA, though CISA warns that VPNs are only as secure as the devices they connect to.
  4. Review Logs: Audit your camera logs for any unauthorized password changes or unknown IP addresses accessing the management interface.

Conclusion

CVE-2026-1670 serves as a stark reminder that IoT security often lags behind traditional IT. A CCTV camera is no longer just a camera; it is a networked computer with a web server, and it must be hardened with the same rigor as any server. At Security Arsenal, we urge organizations to inventory their Honeywell devices immediately and apply vendor guidance without delay.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectioncve-2026-1670iot-securityhoneywellcctv

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action