CVE-2025-26793 - Default Credentials in Hirsch Enterphone MESH Web GUI Exposes Resident PII

Author’s Note: This post’s research is original and clear for any reader. If you are responsible for apartment building security, update your Enterphone MESH credentials now.

Background

In January 2025, a serious security issue, tracked as CVE-2025-26793, emerged in the Web GUI of *Hirsch Enterphone MESH*, previously branded as Identiv and Viscount. This widely-deployed system is used for controlling visitor access in dozens of apartment complexes and high-rises across the United States and Canada.

Password: viscount

On initial setup, administrators are not forced to change these credentials. In fact, changing them requires several unintuitive manual steps (see below).

The Dangerous Impact

With these factory credentials, any attacker—no skills needed—can connect to the admin web panel over the Internet. This web admin is handled by the mesh.webadmin.MESHAdminServlet endpoint.

Potentially create denial-of-service conditions or lock out valid users

All this, from anywhere in the world, on properties spanning most major cities where this system is installed.

Step-by-step

1. Find open panels: Use tools like Shodan or builtwith to search for exposed Enterphone web GUIs (they usually listen on port 808 or 80).
2. Open the panel: Go to http://[target-ip]:808/mesh.webadmin/
3. Login: Enter freedom / viscount as the username and password.

Example Request (using curl)

curl -X POST 'http://victim-apartment.com:808/mesh.webadmin/MESHAdminServlet'; \
     -d 'username=freedom&password=viscount'

Upon successful login, the system sets a session cookie or responds with an admin dashboard interface, giving the attacker what is essentially *keys to the building*—literally and figuratively.

Why Is It So Easy?

The web interface never prompts the owner to update the password on first login. Documentation warns to change it (buried in footnotes), but admins—often property managers with little IT training—miss this step.

The supplier’s stance

> “Vulnerable systems are not following manufacturer’s recommendations to change the default password.”

Technically true, but in real-world practice, lack of an enforced prompt or easy process means many admins never change it; lazy defaults become live dangers.

More Reading and References

- Original NVD Entry *(expected by late June 2025)*
- Hirsch (Identiv) Enterphone MESH Marketing Brochure
- Security Researcher’s Initial Disclosure (GhostArchive)
- CISA Security Alert (added Q3 2025, check updates)

Use a strong randomly generated password (20+ chars, numbers, symbols).

4. If possible, disable Internet access to the panel by limiting access to trusted local IPs/VPN only.

Conclusion

Default passwords are the #1 root cause for break-ins on building systems. CVE-2025-26793 is a wake-up call: even a “trusted” system can open your residents to privacy violations and physical risks. Don’t wait for a breach—change those credentials today.

Bookmark and follow

- Identiv Security Bulletins
- Official CVE Database
- Shodan Search for Enterphone


_Posted June 2025. Please share this with fellow property admins; your building’s safety starts with you._

Timeline

Published on: 02/15/2025 15:15:23 UTC
Last modified on: 02/24/2025 17:15:14 UTC