Eric Daigle

Name of the Vulnerable Software and Affected Versions: Hirsch Enterphone MESH versions through 2024 Description: The Web GUI configuration panel of Hirsch Enterphone MESH ships with default credentials, `username` freedom and `password` viscount. The administrator is not prompted to change these credentials on initial configuration, and changing them requires many steps. Attackers can use the credentials over the Internet via "mesh.webadmin.MESHAdminServlet" to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' personally identifiable information (PII). Recommendations: For Hirsch Enterphone MESH versions through 2024, change the default credentials as soon as possible, following the manufacturer's recommendations to secure the system. As a temporary workaround, consider restricting access to the "mesh.webadmin.MESHAdminServlet" endpoint until the default credentials are changed. Additionally, review and follow the manufacturer's guidelines for securing the Web GUI configuration panel to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Puwell Cloud Tech Co, Ltd 360Eyes Pro version 3.9.5.16 **Description** The issue allows attackers to intercept and access sensitive information because it transmits this data in cleartext. This includes users' credentials and password change requests. **Recommendations** For version 3.9.5.16, consider implementing encryption for sensitive data transmission to prevent interception. As a temporary workaround, restrict access to sensitive information until a proper fix is applied.