CVE-2025-26793

Published Feb 15, 2025

Last updated 5 days ago

CVSS critical 10.0

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

The web-based configuration panel for Hirsch Enterphone MESH (formerly Identiv and Viscount) versions through 2024 has a vulnerability due to default credentials. The username "freedom" with the password "viscount" can be used to access the administrative interface via `mesh.webadmin.MESHAdminServlet`. The system doesn't prompt administrators to change these credentials upon initial setup, and the process to change them is complex. This vulnerability potentially allows unauthorized access to building management systems. This vulnerability has been identified as CVE-2025-26793 and assigned the GitHub ID GHSA-x8v9-7r66-c92w. It affects numerous apartment buildings in Canada and the US. Exploiting this vulnerability could lead to unauthorized access and potential exposure of residents' personally identifiable information (PII). It's important to note that this information is current as of February 16, 2025, and the situation may evolve.

Description
The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."
Source
cve@mitre.org
NVD status
Received

Risk scores

CVSS 4.0

Type
Secondary
Base score
10
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:S/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

Weaknesses

cve@mitre.org
CWE-1393

Social media

Hype score
Not currently trending

  1. 🚨Critical Security Vulnerability in Hirsch Enterphone MESH 🆔 CVE: CVE-2025-26793 💣 CVSS Score: 10 📅 Published Date: 25/02/15 ⚠️ Details: The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials… htt

    @DarkWebInformer

    16 Feb 2025

    4787 Impressions

    2 Retweets

    25 Likes

    9 Bookmarks

    1 Reply

    0 Quotes

  2. CVE-2025-26793 Default Credentials Exposure in Hirsch Enterphone MESH Web GUI Enabling Unauthorized Access https://t.co/W7GiuXh0Ar

    @VulmonFeeds

    15 Feb 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-26793 The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password visc… https://t.co/6iA3rJvM69

    @CVEnew

    15 Feb 2025

    722 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References