A security researcher says the default password shipped in a widely used door access control system allows anyone to easily and remotely access door locks and elevator controls in dozens of buildings across the U.S. and Canada.
Hirsch, the company that now owns the Enterphone MESH door access system, won’t fix the vulnerability, saying that the bug is by design and that customers should have followed the company’s setup instructions and changed the default password.
That leaves dozens of exposed residential and office buildings across North America that have not yet changed their access control system’s default password or are unaware that they should, according to Eric Daigle, who found the dozens of exposed buildings.
Default passwords are not uncommon nor necessarily a secret in internet-connected devices; passwords shipped with products are typically designed to simplify login access for the customer and are often found in their instruction manual. But relying on a customer to change a default password to prevent any future malicious access still classifies as a security vulnerability within the product itself.
In the case of Hirsch’s door entry products, customers installing the system are not prompted or required to change the default password.
As such, Daigle was credited with the discovery of the security bug, formally designated as CVE-2025-26793.
No planned fix
Default passwords have long been a problem for internet-connected devices, allowing malicious hackers to use the passwords to log in as if they were the rightful owner and steal data, or hijack the devices to harness their bandwidth for launching cyberattacks. In recent years, governments have sought to nudge technology makers away from using insecure default passwords given the security risks they present.
In the case of Hirsch’s door entry system, the bug is rated as a 10 out of 10 on the vulnerability severity scale, thanks to the ease with which anyone can exploit it. Practically speaking, exploiting the bug is as simple as taking the default password from the system’s installation guide on Hirsch’s website and plugging the password into the internet-facing login page on any affected building’s system.
In a blog post, Daigle …