CVE-2026-1670 CRITICAL

CVE-2026-1670: Honeywell CCTV Products Missing Authentication for Critical Function

Vendor Honeywell
Product I-HIB2PI-UL 2MP IP
Weakness CWE-306 · Missing auth
Published February 17, 2026
Last update February 18, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.

Key dates

02Disclosure timeline

February 17, 2026 CVE published
February 18, 2026 Record updated