A security researcher says the default password shipped in a widely used door access control system allows anyone to easily and remotely access door locks and elevator controls in dozens of buildings across the U.S. and Canada.
Hirsch, the company that now owns the Enterphone MESH door access system, wonโt fix the vulnerability, saying that the bug is by design and that customers should have followed the companyโs setup instructions and changed the default password.
That leaves dozens of exposed residential and office buildings across North America that have not yet changed their access control systemโs default password or are unaware that they should, according to Eric Daigle, who found the dozens of exposed buildings.
Default passwords are not uncommon nor necessarily a secret in internet-connected devices; passwords shipped with products are typically designed to simplify login access for the customer and are often found in their instruction manual. But relying on a customer to change a default password to prevent any future malicious access still classifies as a security vulnerability within the product itself.
In the case of Hirschโs door entry products, customers installing the system are not prompted or required to change the default password.
As such, Daigle was credited with the discovery of the security bug, formally designated as CVE-2025-26793.
No planned fix
Default passwords have long been a problem for internet-connected devices, allowing malicious hackers to use the passwords to log in as if they were the rightful owner and steal data, or hijack the devices to harness their bandwidth for launching cyberattacks. In recent years, governments have sought to nudge technology makers away from using insecure default passwords given the security risks they present.
In the case of Hirschโs door entry system, the bug is rated as a 10 out of 10 on the vulnerability severity scale, thanks to the ease with which anyone can exploit it. Practically speaking, exploiting the bug is as simple as taking the default password from the systemโs installation guide on Hirschโs website and plugging the password into the internet-facing login page on any affected buildingโs system.
In a blog post, Daigle said he found the vulnerability last year after discovering one of the Hirsch-made Enterphone MESH door entry panels on a building in his hometown of Vancouver. Daigle used internet scanning site ZoomEye to look for Enterphone MESH systems that were connected to the internet, and found 71 systems that still relied on the default-shipped credentials.
Daigle said the default password allows access to MESHโs web-based backend system, which building managers use to manage access to elevators, common areas, and office and residential door locks. Each system displays the physical address of the building with the MESH system installed, allowing anyone logging in to know which building they had access to.
Daigle said it was possible to effectively break into any of the dozens of affected buildings in minutes without attracting any attention.
TechCrunch intervened because Hirsch does not have the means, such as a vulnerability disclosure page, for members of the public like Daigle to report a security flaw to the company.
Hirsch CEO Mark Allen did not respond to TechCrunchโs request for comment but instead deferred to a senior Hirsch product manager, who told TechCrunch that the companyโs use of default passwords is โoutdatedโ (without saying how). The product manager said it was โequally concerningโ that there are customers that โinstalled systems and are not following the manufacturersโ recommendations,โ referring to Hirschโs own installation instructions.
Hirsch would not commit to publicly disclosing details about the bug, but said it had contacted its customers about following the productโs instruction manual.
With Hirsch unwilling to fix the bug, some buildings โ and their occupants โ are likely to remain exposed. The bug shows that product development choices from yesteryear can come back to have real-world implications years later.
