The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.CreditsSouvik Kandar reported this vulnerability to CISA.Referenceshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-048-04https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-048-04.jsonhttps://www.honeywell.com/us/en/contact/support
