CVE-2025-26793
CRITICAL EXPLOITED NUCLEIFREEDOM Administration - Default Login
Title source: nucleiDescription
The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."
Exploits (1)
github
WORKING POC
40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/FREEDOM-Administration_Default-Login_CVE-2025-26793.py
Nuclei Templates (1)
FREEDOM Administration - Default Login
CRITICALVERIFIEDby Eric Daigle,DhiyaneshDK
FOFA:
title="FREEDOM Administration"
Scores
CVSS v4
10.0
EPSS
0.2721
EPSS Percentile
96.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/MSI:S/S:P
Details
VulnCheck KEV
2025-06-08
CWE
CWE-1393
Status
published
Products (1)
Hirsch/Enterphone MESH
< 2024
Published
Feb 15, 2025
Tracked Since
Feb 18, 2026