CVE-2025-26793 (CVSS 10): Critical Security Vulnerability in Hirsch Enterphone MESH

A security researcher has revealed that the default password in a widely used door access control system allows anyone to easily and remotely access door locks and elevator controls in numerous buildings across the U.S. and Canada.

Eric Daigle reported finding exposed residential and office buildings throughout North America that have not changed their access control system’s default password, or are unaware of the need to do so.

Hirsch, the company that currently owns the Enterphone MESH door access system, has stated it will address the security issue with an upcoming patch that will require customers to change the default password.

While default passwords are common and not necessarily secret in internet-connected devices, they are generally included in product manuals to simplify customer login. However, relying on customers to change the default password to prevent future malicious access still constitutes a security vulnerability in the product itself.

For Hirsch's door entry systems, customers were neither prompted nor required to change the default password during installation.

Daigle has been credited with discovering this security flaw, which has been formally assigned CVE-2025-26793.

Door Locks and Elevator Access

Default passwords have long been a security concern for internet-connected devices, as they allow malicious hackers to log in as if they were the legitimate owner, steal data, or hijack the devices to exploit their bandwidth for cyberattacks. In recent years, governments have pushed technology makers to move away from using insecure default passwords due to the security risks they pose.

For Hirsch’s door entry system, the vulnerability is rated a 10 out of 10 on the severity scale, reflecting how easily it can be exploited.

In practical terms, exploiting the flaw is as simple as retrieving the default password from the system’s installation guide on Hirsch’s website and entering it into the internet-facing login page of any affected building’s system.

Daigle, in a blog post, shared that he discovered the vulnerability in 2024 after finding one of Hirsch’s Enterphone MESH door entry panels at a building in his hometown of Vancouver. Using the internet scanning tool ZoomEye, Daigle identified 71 systems still relying on the default credentials.

The default password granted access to MESH’s web-based backend, where building managers control access to elevators, common areas, and office and residential locks. Each system also displayed the physical address of the building with the MESH system installed, providing any unauthorized user with information about the location they had access to.

Daigle noted that exploiting the vulnerability would allow an attacker to effectively break into any of the affected buildings within minutes, without drawing attention.

Update your systems!!

To learn more about our services and how we can help protect your systems, visit https://www.vaptern.com/services or contact us directly.