CVE-2025-26793

The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."

CVSS

No CVSS.

References

Link	Resource
https://news.ycombinator.com/item?id=43160884
https://support.identiv.com/products/physical-access/hirsch/
https://www.ericdaigle.ca/posts/breaking-into-dozens-of-apartments-in-five-minutes/

Configurations

No configuration.

History

No history.

Information

Published : 2025-02-15 15:15

Updated : 2025-02-24 17:15

NVD link : CVE-2025-26793

Mitre link : CVE-2025-26793

CVE.ORG link : CVE-2025-26793

JSON object : View

Products Affected

No product.

CWE

CWE-1393

Use of Default Password

{"id": "CVE-2025-26793", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "PRESENT", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:S/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "SAFETY", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-15T15:15:23.587", "references": [{"url": "https://news.ycombinator.com/item?id=43160884", "source": "[email protected]"}, {"url": "https://support.identiv.com/products/physical-access/hirsch/", "source": "[email protected]"}, {"url": "https://www.ericdaigle.ca/posts/breaking-into-dozens-of-apartments-in-five-minutes/", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1393"}]}], "descriptions": [{"lang": "en", "value": "The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the \"vulnerable systems are not following manufacturers' recommendations to change the default password.\""}, {"lang": "es", "value": "El panel de configuraci\u00f3n de la interfaz gr\u00e1fica de usuario web de Hirsch (anteriormente Identiv y Viscount) Enterphone MESH hasta 2024 se entrega con credenciales predeterminadas (nombre de usuario freedom, contrase\u00f1a viscond). No se le solicita al administrador que cambie estas credenciales en la configuraci\u00f3n inicial, y cambiar las credenciales requiere muchos pasos. Los atacantes pueden usar las credenciales a trav\u00e9s de Internet mediante mesh.webadmin.MESHAdminServlet para obtener acceso a docenas de edificios de apartamentos canadienses y estadounidenses y obtener informaci\u00f3n de identificaci\u00f3n personal de los residentes del edificio. NOTA: la perspectiva del proveedor es que los \"sistemas vulnerables no siguen las recomendaciones de los fabricantes para cambiar la contrase\u00f1a predeterminada\"."}], "lastModified": "2025-02-24T17:15:14.580", "sourceIdentifier": "[email protected]"}