Honeywell Performance IP Cameras and Performance NVRs

Monitor5.3ICS-CERT ICSA-19-260-03Sep 17, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Honeywell Performance IP Series cameras and NVRs contain an information disclosure vulnerability that allows an unauthenticated attacker to view sensitive device configuration information without authentication. The vulnerability affects 60+ camera models across multiple form factors (dome, turret, and bullet cameras). An attacker on the network—or from the Internet if the camera is directly exposed—can query the device for configuration details that may reveal network topology, settings, or operational information useful for reconnaissance. The vulnerability has a CVSS score of 5.3 (medium) and requires only network access with no authentication. No public exploits currently exist. Honeywell has released firmware updates for affected devices, though some older models may no longer receive updates.

What this means

What could happen

An attacker with network access to an affected camera could view sensitive device configuration information, potentially revealing network topology, credentials, or operational details useful for further attacks on your surveillance or facility infrastructure.

Who's at risk

Security managers and IT staff responsible for Honeywell Performance IP Series surveillance cameras and NVRs at water utilities, electric substations, critical infrastructure facilities, or any site where facility security cameras are deployed. This includes dome cameras (HBD, HED variants), turret cameras (HEN variants), bullet cameras (H2W, H4W, HEW variants), and their associated NVRs.

How it could be exploited

An attacker on your network (or the Internet if the camera is exposed) can send an unauthenticated request to the camera to retrieve configuration data. The camera responds with sensitive information without requiring login credentials, allowing reconnaissance of your security infrastructure.

Prerequisites

Network connectivity to the affected camera over IP
Camera must be reachable on the network (no authentication required)

remotely exploitableno authentication requiredlow complexityno patch available (end-of-life devices)information disclosure of configuration data

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (59)

59 pending

ProductAffected VersionsFix Status

Performance IP Series cameras: H2W2PER3H2W2PER3No fix yet

Performance IP Series cameras: HPW2P1HPW2P1No fix yet

Performance IP Series cameras: HEW4PER2BHEW4PER2BNo fix yet

Performance IP Series cameras: HEN32204HEN32204No fix yet

Performance IP Series cameras: H4W2PER2H4W2PER2No fix yet

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDIsolate affected cameras from the Internet or place behind firewall/DMZ to block external access

HARDENINGRestrict network access to cameras to only authorized management workstations; use firewall rules to block unexpected connections

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply firmware update from Honeywell (available at https://mywebtech.honeywell.com/Home with login)

Long-term hardening

0/1

HARDENINGIf remote camera access is needed, require VPN or other secure tunneling mechanism

CVEs (1)

CVE-2019-13523

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/303d42aa-e46e-4c9f-ae4a-224ac02f50d7