CVE-2025-26793
Description
The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2025-26793? +
How do I check if I'm vulnerable to CVE-2025-26793? +
Related Vulnerabilities
vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` …
Default Credentail vulnerabilities allows access to an Aspect device using publicly available default credentials since the system does not require …
An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH …
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build …
An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access …
Adtran 411 ONT L80.00.0011.M2 was discovered to contain weak default passwords.