Cyber Resilience

CVE-2025-26793

Critical

Published: 15 February 2025

Published
15 February 2025
Modified
26 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2596 96.4th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26793 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Ycombinator (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).

Deeper analysis

The vulnerability affects the Web GUI configuration panel in Hirsch (formerly Identiv and Viscount) Enterphone MESH systems through version 2024. It stems from hardcoded default credentials (username "freedom", password "viscount") that are not changed during initial setup and require multiple manual steps to update afterward, combined with exposure of the mesh.webadmin.MESHAdminServlet endpoint. This is tracked under CWE-1393 and carries a CVSS 4.0 score of 9.3.

Remote attackers with no authentication can reach affected systems over the Internet and obtain administrative access. Successful exploitation grants control over building entry systems and the ability to retrieve personally identifiable information belonging to residents in multiple Canadian and U.S. apartment buildings.

Vendor guidance states that affected deployments are not following manufacturer recommendations to replace the default password. Public reporting, including detailed analysis at ericdaigle.ca and discussion on Hacker News, indicates that the issue enables straightforward remote compromise without additional authentication bypasses. The associated EPSS score has remained in the 0.26 range with only minor fluctuation between current and peak values.

EU & UK References

Vulnerability details

The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires…

more

many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability involves hardcoded default credentials on a publicly accessible web administration interface, directly enabling remote authentication and access via default accounts (T1078.001) on an internet-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24429Shared CWE-1393
CVE-2026-2635Shared CWE-1393
CVE-2025-66050Shared CWE-1393
CVE-2025-22938Shared CWE-1393
CVE-2024-49559Shared CWE-1393
CVE-2026-33784Shared CWE-1393
CVE-2025-2347Shared CWE-1393
CVE-2024-43659Shared CWE-1393
CVE-2025-26701Shared CWE-1393
CVE-2026-4404Shared CWE-1393

Affected Assets

Ycombinator
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires changing default authenticators prior to first use and managing password strength, comprehensively mitigating the hardcoded default credentials vulnerability.

prevent

Requires identification, management, and review of accounts to disable unnecessary or default accounts and ensure appropriate access, addressing account lifecycle aspects of the vulnerability.

prevent

Mandates establishing and enforcing secure configuration settings, including changing non-secure default passwords on systems like the Enterphone MESH Web GUI.

References