According to a security researcher, a widely used door access control system has a default password that allows unauthorized individuals to easily and remotely access door locks and elevator controls in numerous buildings across the United States and Canada.

Hirsch, the company that owns the Enterphone MESH door access system, has declined to address the vulnerability, claiming that it is a design feature and that customers should have followed the company’s setup instructions to change the default password.

As a result, dozens of residential and office buildings in North America remain exposed, as they have not changed their access control system’s default password or are unaware of the need to do so, according to Eric Daigle, who discovered the vulnerability and identified numerous exposed buildings.

Default passwords are common in internet-connected devices, but relying on customers to change them to prevent malicious access is still considered a security vulnerability. In the case of Hirsch’s door entry products, customers are not prompted to change the default password during installation.

Daigle’s discovery of the security bug, designated as CVE-2025-26793, highlights the importance of secure default settings. The vulnerability allows anyone to log in to the system using the default password, which can be found in the instruction manual or online.

No planned fix

Default passwords have long been a problem for internet-connected devices, allowing hackers to log in and steal data or hijack devices for malicious purposes. Governments have recently taken steps to encourage technology manufacturers to avoid using insecure default passwords due to the associated security risks.

In the case of Hirsch’s door entry system, the bug is considered highly severe, with a rating of 10 out of 10, due to its ease of exploitation. Anyone can exploit the bug by using the default password from the system’s installation guide to log in to an affected building’s system.

Daigle discovered the vulnerability after finding a Hirsch-made Enterphone MESH door entry panel in his hometown of Vancouver. He used an internet scanning site to find 71 systems that still relied on the default-shipped credentials.

The default password provides access to the MESH system’s web-based backend, which building managers use to manage access to elevators, common areas, and door locks. Each system displays the physical address of the building, allowing anyone logging in to know which building they have access to.

Daigle reported that it was possible to break into any of the affected buildings in minutes without detection. TechCrunch intervened in the matter due to Hirsch’s lack of a vulnerability disclosure page for reporting security flaws.

Hirsch’s CEO, Mark Allen, did not respond to TechCrunch’s request for comment, but a senior product manager acknowledged that the company’s use of default passwords is outdated. The manager expressed concern that some customers had not followed the manufacturer’s recommendations, referring to Hirsch’s own installation instructions.

Hirsch has not committed to publicly disclosing details about the bug but has contacted its customers about following the product’s instruction manual. With the company unwilling to fix the bug, some buildings and their occupants are likely to remain exposed, highlighting the potential consequences of outdated product development choices.