Enterphone MESH - Hardcoded Credentials (CVE-2025-26793)

CVE-2025-26793 is a security vulnerability in the Hirsch Enterphone MESH system, where the web GUI configuration panel is shipped with hardcoded default credentials that are not required to be changed during setup. This oversight allows attackers to remotely access the administration interface via the Internet, potentially compromising the security of numerous apartment buildings and exposing residents' personally identifiable information (PII). The risk is heightened by the complexity involved in changing these default credentials, making it easier for threat actors to exploit the flaw for unauthorized access and data theft.

CrowdSec has been tracking this vulnerability and its exploits since 12th of June 2025.

CrowdSec network observations suggest that most exploitation of CVE-2025-26793 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-26793 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-26793 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit the default credentials by sending POST requests to the FREEDOM Administration login endpoint, targeting /mesh/servlet/mesh.webadmin.MESHAdminServlet?requestedAction=login to gain unauthorized administrative access.