Hirsch Enterphone MESH CVE-2025-26793

CRITICAL
Use of Default Password (CWE-1393)
2025-02-15 [email protected]
Information Disclosure
9.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
P

Lifecycle Timeline

5
Analysis Updated
Apr 26, 2026 - 19:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 26, 2026 - 19:07 vuln.today
cvss_changed
CVSS changed
Apr 26, 2026 - 19:07 NVD
10.0 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Mar 28, 2026 - 18:26 vuln.today
CVE Published
Feb 15, 2025 - 15:15 nvd
CRITICAL 10.0

DescriptionNVD

The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."

AnalysisAI

Hardcoded default credentials (username 'freedom', password 'viscount') in Hirsch Enterphone MESH web GUI enable remote unauthenticated takeover of apartment building access control systems across dozens of Canadian and U.S. buildings. Attackers can access mesh.webadmin.MESHAdminServlet over the Internet to extract resident PII and potentially manipulate building access controls. EPSS score of 27.21% (96th percentile) indicates elevated exploitation probability, though no CISA KEV listing exists at time of analysis. Exploitation requires no special conditions beyond network reachability of the vulnerable interface.

Technical ContextAI

Hirsch (formerly Identiv/Viscount) Enterphone MESH is a cloud-connected apartment intercom and access control system using the mesh.webadmin.MESHAdminServlet interface for remote administration. The vulnerability stems from CWE-1393 (Use of Default Credentials), where the system ships with factory credentials that administrators are not forced to change during initial setup. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is a remotely exploitable issue requiring no authentication, user interaction, or attack complexity. The web GUI provides administrative access to building access control functions and stores personally identifiable information of building residents. The vendor's security model assumes post-deployment credential rotation following manufacturer recommendations, but product design does not enforce this critical security step, and changing credentials reportedly requires many manual steps that discourage adoption.

Affected ProductsAI

Hirsch Enterphone MESH (formerly marketed under Identiv and Viscount brands) through 2024 releases are confirmed vulnerable per CPE applicability. The researcher disclosure identifies dozens of affected apartment buildings across Canada and United States with Internet-exposed mesh.webadmin.MESHAdminServlet interfaces. All deployments using factory default credentials remain exploitable regardless of firmware version. Vendor support resources are available at https://support.identiv.com/products/physical-access/hirsch/ though no specific security advisory addressing this CVE was identified in provided references.

RemediationAI

Immediately change default credentials on all Hirsch Enterphone MESH deployments. Access the web GUI configuration panel and navigate through the multi-step credential change process to set strong administrator passwords distinct from 'freedom'/'viscount' defaults. No vendor-released patch identified at time of analysis - this is a configuration issue rather than code vulnerability requiring software update. Implement network-level compensating controls: restrict access to mesh.webadmin.MESHAdminServlet to trusted management networks only using firewall rules or VPN access requirements, removing direct Internet exposure to the administrative interface. For buildings currently Internet-exposed, emergency mitigation is to block external access to the admin servlet at network perimeter until credentials are rotated. Deploy monitoring for authentication attempts using default credentials as potential intrusion indicator. Review access logs for unauthorized administrative sessions that may have occurred prior to remediation. Vendor guidance recommends following manufacturer documentation for secure deployment practices per https://support.identiv.com/products/physical-access/hirsch/ though detailed remediation steps are not provided in available references.

Share

CVE-2025-26793 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy