A security researcher says the default password shipped in a widely used door access control system allows anyone to easily and remotely access door locks and elevator controls in dozens of buildings across the U.S. and Canada.
Eric Daigle said he found exposed residential and office buildings across North America that have not yet changed their access control system’s default password, or are unaware that they should.
Hirsch, the company that now owns the Enterphone MESH door access system, says it will fix the security flaw with an upcoming patch requiring customers to change the default password.
Default passwords are not uncommon nor necessarily a secret in internet-connected devices; passwords shipped with products are typically designed to simplify login access for the customer and are often found in their instruction manual. But relying on a customer to change a default password to prevent any future malicious access still classifies as a security vulnerability within the product itself.
In the case of Hirsch’s door entry products, customers installing the system were not prompted or required to change the default password.
As such, Daigle was credited with the discovery of the security bug, formally designated as CVE-2025-26793.
Door locks and elevator access
Default passwords have long been a problem for internet-connected devices, allowing malicious hackers to use the passwords to log in as if they were the rightful owner and steal data, or hijack the devices to harness their bandwidth for launching cyberattacks. In recent years, governments have sought to nudge technology makers away from using insecure default passwords given the security risks they present.
In the case of Hirsch’s door entry system, the bug is rated as a 10 out of 10 on the vulnerability severity scale, thanks to the ease with which anyone can exploit it.
Practically speaking, exploiting the bug is as simple as taking the default password from the system’s installation guide on Hirsch’s website and plugging the password into the internet-facing login page on any affected building’s system.
In a blog post, Daigle said he found the vulnerability in 2024 after discovering one of the Hirsch-made Enterphone MESH door entry panels on a building in his hometown of Vancouver. Daigle used internet scanning site ZoomEye to look for Enterphone MESH systems that were connected to the internet, and found 71 systems that still relied on the default-shipped credentials.
Daigle said the default password allowed access to MESH’s web-based back-end system, which building managers use to manage access to elevators, common areas, and office and residential door locks. Each system displays the physical address of the building with the MESH system installed, allowing anyone logging in to know which building they had access to.
Daigle said it was possible to effectively break into any of the dozens of affected buildings in minutes without attracting any attention.
Fix planned for March
TechCrunch intervened because Hirsch at the time did not have the means for members of the public, like Daigle, to report a security flaw to the company.
Hirsch CEO Mark Allen did not respond to TechCrunch’s request for comment but instead deferred to senior Hirsch staff. Following publication, the company has confirmed it will roll out a security patch in mid-March that will require the default administrator account password to be changed during activation.
Hirsch added that new Enterphone order shipments will be delayed until the patch is in production to address the bug, and that it had contacted its customers with reminders to update their Enterphone web consoles with unique passwords.
The company said that it appreciates the work of security researchers in identifying risks and strengthening cybersecurity practices, and plans to update its website with a security reporting page for allowing the public to report security bugs.
Updated to clarify the second paragraph; and on February 28 to include new post-publication comment from Hirsch acknowledging the security fix.
