CVE-2025-26793
Published: 15 February 2025
Summary
CVE-2025-26793 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Ycombinator (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).
Deeper analysis
The vulnerability affects the Web GUI configuration panel in Hirsch (formerly Identiv and Viscount) Enterphone MESH systems through version 2024. It stems from hardcoded default credentials (username "freedom", password "viscount") that are not changed during initial setup and require multiple manual steps to update afterward, combined with exposure of the mesh.webadmin.MESHAdminServlet endpoint. This is tracked under CWE-1393 and carries a CVSS 4.0 score of 9.3.
Remote attackers with no authentication can reach affected systems over the Internet and obtain administrative access. Successful exploitation grants control over building entry systems and the ability to retrieve personally identifiable information belonging to residents in multiple Canadian and U.S. apartment buildings.
Vendor guidance states that affected deployments are not following manufacturer recommendations to replace the default password. Public reporting, including detailed analysis at ericdaigle.ca and discussion on Hacker News, indicates that the issue enables straightforward remote compromise without additional authentication bypasses. The associated EPSS score has remained in the 0.26 range with only minor fluctuation between current and peak values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4246
Vulnerability details
The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires…
more
many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability involves hardcoded default credentials on a publicly accessible web administration interface, directly enabling remote authentication and access via default accounts (T1078.001) on an internet-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires changing default authenticators prior to first use and managing password strength, comprehensively mitigating the hardcoded default credentials vulnerability.
Requires identification, management, and review of accounts to disable unnecessary or default accounts and ensure appropriate access, addressing account lifecycle aspects of the vulnerability.
Mandates establishing and enforcing secure configuration settings, including changing non-secure default passwords on systems like the Enterphone MESH Web GUI.