Security researchers say the default passwords shipped to the widely used door access control system allow anyone to easily and remotely access door locks and elevator controls in dozens of buildings in the US and Canada. It states.
Hirsch, a company that currently owns the Enterphone Mesh Door Access system, says that the bugs must be designed to require customers to follow the company's setup instructions and change the default password, and will not fix the vulnerability. .
According to Eric Daigle, who found dozens of exposed buildings, the number of North Americans who have not yet changed the default password for their access control systems or are not aware that they should do so, says Eric Daigle. Ten exposed residential and office buildings remain.
Default passwords are not uncommon or necessarily secrets to internet-connected devices. Product-equipped passwords are usually designed to simplify customer login access and are often listed in the instruction manual. However, relying on customers to change their default passwords to prevent future malicious access is classified as a security vulnerability within the product itself.
For Hirsch door entry products, customers installing the system are not or are not asked to change the default password.
Thus, Daigle was recognized as the discovery of a security bug officially designated CVE-2025-26793.
No planned modifications
The default password has long been an issue for internet-connected devices. Malicious hackers can use their password to log in as if they were legitimate owners, steal data, or hijack the device to harness the bandwidth to launch a cyber attack . In recent years, governments have been trying to avert technology manufacturers from using unsecure default passwords, taking into account the security risks they present.
In the case of Hirsch's door entry system, the bug is rated 10 out of 10 on the vulnerability severity scale, thanks to allowing anyone to exploit it. In fact, exploiting a bug is the same as getting the default password from the system installation guide on the Hirsch website and connecting the password to a login page headed to the internet on the affected building system. It's as easy as that.
In a blog post, Daigle said he discovered the vulnerability last year after discovering one of Hirsch's Enterphone mesh door panels in his hometown of Vancouver. Daigle used the internet scanning site Zoomeye to search for an Enterphone mesh system connected to the internet and found 71 systems that still rely on default shipment credentials.
Daigle says the default password allows access to mesh web-based backend systems, which the Construction Manager uses to manage access to elevators, common areas, offices and residential door locks. Each system displays the physical address of the building where the mesh system is installed, allowing anyone to know which buildings are accessible to the logged in building.
Daigle said it is possible to effectively infiltrate any of the dozens of affected buildings in minutes without attracting attention.
TechCrunch intervened because Hirsch had no means such as a vulnerability disclosure page for public members like Daigle to report security flaws to the company.
Hirsch CEO Mark Allen did not respond to TechCrunch's request for comment and instead postponed it to Hirsch's senior product manager. The Hirsch Product Manager told TechCrunch that using the default password is “outdated.” The Product Manager said it was “equally concerning” that customers “have installed the system and did not follow the manufacturer's recommendations” referring to Hirsch's own installation instructions.
Hirsch said it had not committed to publicly disclose details about the bug, but it contacted customers about following the product's instruction manual.
Some buildings and their residents may remain exposed as Hirsch does not want to fix the bug. This bug shows that last year's product development options could return in a few years to have real-world impact.