CVE-2025-26793

CVSS 10 CRITICALEPSS 2.3%CWE-1393

In short

Hirsch Enterphone MESH systems come with preset username and password (freedom/viscount) that users aren't forced to change during setup. Attackers can use these credentials over the internet to access building control panels and steal residents' personal information from dozens of North American apartment buildings.

Technical detail

CWE-1393 default credentials vulnerability in Enterphone MESH Web GUI (mesh.webadmin.MESHAdminServlet) allows unauthenticated remote attackers to gain administrative access without changing default credentials during initial configuration. Pre-condition: default credentials remain unchanged; impact includes unauthorized access to building management systems and exposure of residents' PII across multiple facilities.

Summary generated and translated by AI from the official description.

The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/MSI:S/S:P

Affected products

Hirsch · Enterphone MESH

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://news.ycombinator.com/item?id=43160884 https://support.identiv.com/products/physical-access/hirsch/https://www.ericdaigle.ca/posts/breaking-into-dozens-of-apartments-in-five-minutes/