CVE-2025-26793 Scanner

FREEDOM Administration is a web-based management system used for controlling access and security configurations in residential and commercial buildings. It is commonly deployed in apartment complexes, office buildings, and gated communities. The software allows administrators to manage user access permissions, monitor security logs, and configure connected security hardware. FREEDOM Administration is used in Canada and the United States to regulate building access and protect resident information. The platform is designed for integration with existing security infrastructures, making it a critical component in property management. Due to its extensive use in physical security, any vulnerability in this system can have severe consequences.

This vulnerability affects the FREEDOM Administration system and allows attackers to gain unauthorized administrative access using default credentials. The web GUI configuration panel ships with preset login credentials that are not required to be changed upon initial setup. This oversight results in easily exploitable systems if administrators fail to update the credentials manually. The issue is categorized under CWE-521 (Weak Password Requirements) and allows attackers to control security settings. Exploiting this vulnerability could lead to unauthorized access to security logs, entry controls, and resident information. The widespread use of these systems in apartment buildings increases the risk of exploitation.

The vulnerability is caused by the system’s reliance on hardcoded default credentials. The login credentials (username: "freedom", password: "viscount") are set by default and are not required to be changed upon deployment. Attackers can send a crafted HTTP POST request to the "/mesh/servlet/mesh.webadmin.MESHAdminServlet" endpoint using these credentials to gain administrative access. The server processes the request and grants full access to the control panel if the credentials are correct. Since this authentication flaw does not enforce credential changes, many deployments remain vulnerable. This issue enables attackers to remotely access and manipulate security settings without prior authorization.

Exploitation of this vulnerability allows attackers to control building access systems without authentication. Unauthorized users can modify security configurations, disable surveillance features, or generate new access credentials. Attackers may also extract personally identifiable information (PII) of building residents, leading to potential identity theft or social engineering attacks. The ability to remotely control entry systems poses a severe security risk to residents and property managers. In extreme cases, this flaw could be used to gain unauthorized physical access to apartment buildings and office complexes. Organizations relying on this system must immediately secure their deployments to prevent unauthorized intrusions.

REFERENCES

• https://www.ericdaigle.ca/posts/breaking-into-dozens-of-apartments-in-five-minutes/
• https://news.ycombinator.com/item?id=43160884
• https://support.identiv.com/products/physical-access/hirsch/