CVE-2025-26793
Published: 15 February 2025
Summary
CVE-2025-26793 is a uncategorised-severity Use of Default Password (CWE-1393) vulnerability in Ycombinator (inferred from references). Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires changing default authenticators prior to first use and managing password strength, comprehensively mitigating the hardcoded default credentials vulnerability.
Requires identification, management, and review of accounts to disable unnecessary or default accounts and ensure appropriate access, addressing account lifecycle aspects of the vulnerability.
Mandates establishing and enforcing secure configuration settings, including changing non-secure default passwords on systems like the Enterphone MESH Web GUI.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability involves hardcoded default credentials on a publicly accessible web administration interface, directly enabling remote authentication and access via default accounts (T1078.001) on an internet-facing application (T1190).
NVD Description
The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires…
more
many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."
Deeper analysisAI
CVE-2025-26793 affects the Web GUI configuration panel in Hirsch (formerly Identiv and Viscount) Enterphone MESH systems through 2024. These devices ship with hardcoded default credentials—username "freedom" and password "viscount"—that administrators are not prompted to change during initial setup. Changing the credentials requires multiple steps, leaving the systems exposed if defaults remain in use.
Remote attackers can exploit this vulnerability over the Internet by authenticating to the mesh.webadmin.MESHAdminServlet endpoint using the default credentials. Successful exploitation grants access to the configuration panels of affected Enterphone MESH installations, primarily in dozens of apartment buildings across Canada and the U.S., enabling attackers to obtain personally identifiable information (PII) of building residents.
Manufacturer advisories, including perspectives from Identiv (formerly Viscount), emphasize that vulnerable systems deviate from recommendations to change the default password upon deployment. No patches or automated remediation are detailed in available references; mitigation relies on manually updating credentials following the multi-step process outlined in product documentation. Additional context appears in security researcher Eric Daigle's analysis, demonstrating real-world access to multiple buildings in under five minutes.
Details
- CWE(s)