Under research conducted by security researchers, it was discovered that a widely used door access control system includes an inherently insecure default password. Thousands of buildings across the country have insecure default passwords that can be accessed easily and remotely by anyone. It was discovered by Eric Daigle that there is still a lot of residential and commercial properties in North America that have not yet modified the default passwords for their access control systems, many of them are not even aware that this is a good idea.
When security researcher Eric Daigle examined an apartment building’s access control panel, he inadvertently discovered one of the most concerning security issues in recent years while inspecting the access control panel. Initially, a routine observation while waiting for a ferry led to the discovery of a critical security flaw affecting hundreds of residential buildings across the country, which caused a widespread financial loss for thousands of people.
In late last year, Eric Daigle became interested in the system when he noticed an unusual access control panel on his normal daily activities. He conducted a short online search for “MESH by Viscount” and found a sales page for its remote access capability, followed by the discovery of a PDF installation guide available for download.
It is typical for access control systems to be configured with a default password, which administrators are supposed to change to match their credentials.
However, Daigle observed that the installation manual did not provide clear instructions regarding how these credentials were to be modified.
It was later revealed, after further investigation into the user interface's login page title, that multiple publicly accessible login portals are available for this product. Alarmingly, as a result of this research, he was able to access the first one with default credentials, which highlights a critical security vulnerability.
The Enterphone MESH door access system is currently owned by Hirsch, and Hirsch has announced that to address this security vulnerability, a software patch will be released shortly that will require users to change their default password, as soon as possible. An internet-connected device will often have a default password, which is often included in the product manual to facilitate the initial setup process.
There is, however, a significant security risk in requiring end users to manually update these credentials, since if they fail to do so, their systems can be vulnerable to unauthorized access. Hirsch’s door access solutions are not prompted to customers when they are installed, nor are they required to modify the default passwords, leaving many systems at risk of unauthorized access.
This vulnerability had been discovered by security researcher Eric Daigle, based on the findings he made, according to his findings.
The vulnerability has been designated as CVE-2025-26793 as a result of his findings.
Modern building security systems have become increasingly integrated with the Internet of Things (IoT) technology, especially in apartment complexes seeking a more advanced alternative to traditional phone-line-based access control systems. Among these key fob systems, Hirsch Mesh features a web-based portal that enables the use of key fobs throughout a large building to be tracked and logged, as well as allowing remote access to various entry points also within the building to be controlled remotely.
The accessibility of the system's default login credentials, however, raises a crucial security concern because they are openly published in the installation manual, which is easily accessible via an online search, as the installer provides a list of the default login credentials.
While waiting at a bus stop for his bus, Eric Daigle made a quick internet search based on the name of the product displayed on the security terminal of the apartment complex across the street. He located the manual in just a few minutes, which identified a way to circumvent the building's security measures. This highlighted a significant flaw in the system's design, leading to a serious risk of abuse.
The default password that is set on internet-connected devices has historically posed a significant security threat because unauthorized individuals can gain access under the guise of legitimate users, leading to data breaches or the possibility of malicious actors hijacking these devices to carry out large-scale cyberattacks.
In recent years, there have been several governments, including the UK, Germany, the US, and other countries, which have been encouraging technology manufacturers to adopt more robust security measures to avoid the security risks associated with using default credentials that were considered insecure in the first place.
Having been rated as highly vulnerable by the FBI as a result of its ease of exploit, Hirsch's door entry system has been rated as a high threat as well with a severity rating of 10. Exploiting the flaw involves a minimal amount of effort. There is a public documentation available on Hirsch's website, which contains the installation manual for the system, which can be used to obtain the default password.
An affected building is vulnerable to unauthorized access if individuals with these credentials log in to the login window of the building's system through the login portal; this highlights a critical security flaw in the system.
