A security researcher says the default password shipped in a widely used door access control system allows anyone to easily and remotely access door locks and elevator controls in dozens of buildings across the U.S. and Canada.
Hirsch, the company that now owns the Enterphone MESH door access system, won’t fix the vulnerability, saying that the bug is by design and that customers should have followed the company’s setup instructions and changed the default password.Â
That leaves dozens of exposed buildings across North America that have not yet changed their access control system’s default password or are unaware that they should, according to Eric Daigle, who found the dozens of exposed buildings.
Default passwords are not uncommon nor necessarily a secret in internet-connected devices; passwords shipped with products are typically designed to simplify login access for the customer and are often found in their instruction manual. But relying on a customer to change a default password to prevent any future malicious access still classifies as a security vulnerability within the product itself.
In the case of Hirsch’s door entry products, customers installing the system are not prompted or required to change the default password.
As such, Daigle was credited with the discovery of the security bug, formally designated as CVE-2025-26793.
No planned fix
Default passwords have long been a problem for internet-connected devices, allowing malicious hackers to use the passwords to log in as if they were the rightful owner and steal data, or hijack the devices to harness their bandwidth for launching cyberattacks. In recent years, governments have sought to nudge technology makers away from using insecure default passwords given the security risks they present.
In the case of Hirsch’s door entry system, the bug is rated as a 10 out of 10 on the vulnerability severity scale, thanks to the ease with which anyone can exploit it. Practically speaking, exploiting the bug is as simple as taking the default password from the system’s installation guide on Hirsch’s website and plugging the password into the internet-facing login page on any affected building’s system.
In a blog post, Daigle said he found the vulnerability last year after discovering one of the Hirsch-made Enterphone MESH door entry panels on a building in his hometown of Vancouver. Daigle used internet scanning site ZoomEye to look for Enterphone MESH systems that were connected to the internet, and found 71 systems that still relied on the default-shipped credentials.
Daigle said the default password allows access to MESH’s web-based backend system, which building managers use to manage access to elevators, common areas, and office and residential door locks. Each system displays the physical address of the building with the MESH system installed, allowing anyone logging in to know which building they had access to.
Daigle said it was possible to effectively break into any of the dozens of affected buildings in minutes without attracting any attention.Â
TechCrunch intervened because Hirsch does not have the means, such as a vulnerability disclosure page, for members of the public like Daigle to report a security flaw to the company.Â
Hirsch CEO Mark Allen did not respond to TechCrunch’s request for comment but instead deferred to a senior Hirsch product manager, who told TechCrunch that the company’s use of default passwords is “outdated” (without saying how). The product manager said it was “equally concerning” that there are customers that “installed systems and are not following the manufacturers’ recommendations,” referring to Hirsch’s own installation instructions.
Hirsch would not commit to publicly disclosing details about the bug, but said it had contacted its customers about following the product’s instruction manual.
With Hirsch unwilling to fix the bug, some buildings — and their occupants — are likely to remain exposed. The bug shows that product development choices from yesteryear can come back to have real-world implications years later.
