Enterphone MESH - Hardcoded Credentials (CVE-2025-26793)

CVE-2025-26793 is a security vulnerability in the Hirsch Enterphone MESH system, where the web GUI configuration panel is shipped with hardcoded default credentials that are not required to be changed during setup. This oversight allows attackers to remotely access the administration interface via the Internet, potentially compromising the security of numerous apartment buildings and exposing residents' personally identifiable information (PII). The risk is heightened by the complexity involved in changing these default credentials, making it easier for threat actors to exploit the flaw for unauthorized access and data theft.

CrowdSec has been tracking this vulnerability and its exploits since 12th of June 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-26793 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2025-26793. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit the default credentials by sending POST requests to the FREEDOM Administration login endpoint, targeting /mesh/servlet/mesh.webadmin.MESHAdminServlet?requestedAction=login to gain unauthorized administrative access.