CVE-2025-26793

CVE-2025-26793 affects the Web GUI configuration panel in Hirsch (formerly Identiv and Viscount) Enterphone MESH systems through 2024. These devices ship with hardcoded default credentials—username "freedom" and password "viscount"—that administrators are not prompted to change during initial setup. Changing the credentials requires multiple steps, leaving the systems exposed if defaults remain in use.

Remote attackers can exploit this vulnerability over the Internet by authenticating to the mesh.webadmin.MESHAdminServlet endpoint using the default credentials. Successful exploitation grants access to the configuration panels of affected Enterphone MESH installations, primarily in dozens of apartment buildings across Canada and the U.S., enabling attackers to obtain personally identifiable information (PII) of building residents.

Manufacturer advisories, including perspectives from Identiv (formerly Viscount), emphasize that vulnerable systems deviate from recommendations to change the default password upon deployment. No patches or automated remediation are detailed in available references; mitigation relies on manually updating credentials following the multi-step process outlined in product documentation. Additional context appears in security researcher Eric Daigle's analysis, demonstrating real-world access to multiple buildings in under five minutes.