CVE-2019-18226
📋 TL;DR
Honeywell equIP series and Performance series IP cameras and recorders retain a weak authentication method for legacy compatibility, allowing replay attacks. Attackers can bypass authentication by replaying captured credentials, potentially gaining unauthorized access to video surveillance systems. Organizations using these specific Honeywell products are affected.
💻 Affected Systems
- Honeywell equIP series IP cameras
- Honeywell Performance series IP cameras
- Honeywell equIP series recorders
- Honeywell Performance series recorders
📦 What is this software?
Hcd8g Firmware by Honeywell
Hcl2g Firmware by Honeywell
Hcl2gv Firmware by Honeywell
Hcw2g Firmware by Honeywell
Hcw2gv Firmware by Honeywell
Hcw4g Firmware by Honeywell
Hpw2p1 Firmware by Honeywell
Hsw2g1 Firmware by Honeywell
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of surveillance systems allowing attackers to view/record/manipulate video feeds, disable cameras, or pivot to internal networks.
Likely Case
Unauthorized access to live camera feeds and recorded footage, potentially exposing sensitive areas or violating privacy regulations.
If Mitigated
Limited impact if cameras are isolated on separate VLANs with strict network segmentation and access controls.
🎯 Exploit Status
Attack requires capturing authentication traffic first, then replaying it. No authentication bypass without captured credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware updates released by Honeywell (specific versions vary by product)
Vendor Advisory: https://www.us-cert.gov/ics/advisories/icsa-19-304-04
Restart Required: Yes
Instructions:
1. Identify affected camera/recorder models. 2. Download latest firmware from Honeywell support portal. 3. Backup configurations. 4. Apply firmware update via web interface or management software. 5. Verify update successful and reconfigure if needed.
🔧 Temporary Workarounds
Network segmentation
allIsolate cameras and recorders on separate VLAN with strict firewall rules limiting access to management interfaces.
Disable legacy protocols
allIf possible, disable legacy authentication methods in camera/recorder settings (may break compatibility with older systems).
🧯 If You Can't Patch
- Implement strict network access controls allowing only authorized management stations to communicate with cameras/recorders.
- Monitor network traffic for authentication replay patterns and implement intrusion detection for suspicious authentication attempts.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against Honeywell's patched versions list in advisory. Devices running firmware prior to patched versions are vulnerable.Check Version:
Login to device web interface > System > Information or via SNMP query to device system OID.Verify Fix Applied:
Confirm firmware version matches or exceeds patched version listed in Honeywell advisory. Test authentication with legacy methods to ensure they're properly disabled.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login from same source
- Authentication logs showing legacy protocol usage
Network Indicators:
- Repeated identical authentication packets from same source
- Traffic patterns suggesting credential replay
SIEM Query:
source_ip=* dest_ip=camera_ip auth_protocol=legacy AND result=success WITHIN 1s OF previous identical auth_packet