CVE-2025-26793

Name of the Vulnerable Software and Affected Versions: Hirsch Enterphone MESH versions through 2024

Description: The Web GUI configuration panel of Hirsch Enterphone MESH ships with default credentials, username freedom and password viscount. The administrator is not prompted to change these credentials on initial configuration, and changing them requires many steps. Attackers can use the credentials over the Internet via "mesh.webadmin.MESHAdminServlet" to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' personally identifiable information (PII).

Recommendations: For Hirsch Enterphone MESH versions through 2024, change the default credentials as soon as possible, following the manufacturer's recommendations to secure the system. As a temporary workaround, consider restricting access to the "mesh.webadmin.MESHAdminServlet" endpoint until the default credentials are changed. Additionally, review and follow the manufacturer's guidelines for securing the Web GUI configuration panel to prevent unauthorized access.