A security researcher has uncovered a critical vulnerability in a widely used door access control system, allowing anyone to remotely access and control door locks and elevator systems in dozens of buildings across the US and Canada. The flaw, which has been designated as CVE-2025-26793, lies in the default password shipped with the Enterphone MESH door access system, owned by Hirsch.

The researcher, Eric Daigle, found that the default password allows unrestricted access to the system's web-based backend, which building managers use to manage access to elevators, common areas, and office and residential door locks. This means that anyone with the default password can gain access to these systems, potentially compromising the security of the buildings and their occupants.

What's more alarming is that Hirsch, the company behind the Enterphone MESH system, has refused to fix the vulnerability, citing that the bug is "by design" and that customers should have followed the company's setup instructions and changed the default password. This stance has left dozens of buildings exposed, as many customers may not be aware of the need to change the default password or have simply neglected to do so.

Daigle's discovery highlights the long-standing issue of default passwords in internet-connected devices, which can be easily exploited by malicious hackers. In recent years, governments have been urging technology manufacturers to move away from using insecure default passwords, given the significant security risks they pose.

In this case, the vulnerability is particularly severe, with a rating of 10 out of 10 on the vulnerability severity scale. Exploiting the bug is relatively simple, requiring only the default password from the system's installation guide, which is publicly available on Hirsch's website.

Daigle's investigation began when he stumbled upon a Hirsch-made Enterphone MESH door entry panel in his hometown of Vancouver. Using the internet scanning site ZoomEye, he found 71 systems that were still relying on the default-shipped credentials. Each system displays the physical address of the building with the MESH system installed, allowing anyone logging in to know which building they had access to.

Daigle warned that it's possible to break into any of the affected buildings in a matter of minutes without arousing suspicion. The implications are far-reaching, with potential consequences including unauthorized access to secure areas, theft, and even physical harm to building occupants.

TechCrunch intervened in the matter due to Hirsch's lack of a vulnerability disclosure page, which would have allowed Daigle to report the security flaw directly to the company. Instead, Hirsch's CEO, Mark Allen, did not respond to requests for comment, deferring to a senior product manager who downplayed the issue, stating that the company's use of default passwords is "outdated" without providing further explanation.

The product manager also shifted the blame to customers who "installed systems and are not following the manufacturers' recommendations," referring to Hirsch's own installation instructions. Despite this, Hirsch has not committed to publicly disclosing details about the bug, instead opting to contact its customers about following the product's instruction manual.

The incident serves as a stark reminder that product development choices made in the past can have real-world implications years later. With Hirsch unwilling to fix the bug, some buildings and their occupants are likely to remain exposed, leaving them vulnerable to potential security breaches.

The story highlights the need for technology manufacturers to prioritize security and take responsibility for their products' vulnerabilities. It also underscores the importance of customers being aware of the security risks associated with default passwords and taking proactive steps to change them.