Skip to main content

MAXHUB Pivot CVE-2026-6411

| EUVDEUVD-2026-28471 HIGH
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-05-07 icscert GHSA-m8jc-jjj9-hgc8
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
May 08, 2026 - 02:16 EUVD
Analysis Generated
May 07, 2026 - 23:15 vuln.today
CVE Published
May 07, 2026 - 22:25 nvd
HIGH 7.3

DescriptionCVE.org

This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.

AnalysisAI

Remote attackers can decrypt tenant email addresses and metadata, and trigger denial-of-service conditions in MAXHUB Pivot client versions prior to v1.36.2 via hardcoded AES encryption keys. The vulnerability (CWE-327: Broken/Risky Cryptographic Algorithm) enables complete bypass of data confidentiality controls without authentication due to embedded cryptographic secrets in the application binary. CISA ICS-CERT disclosure indicates this affects operational technology environments where MAXHUB collaboration devices are deployed. No active exploitation confirmed in CISA KEV at time of analysis, though the attack vector is trivially exploitable (AV:N/AC:L/PR:N/UI:N) once the hardcoded key is extracted via reverse engineering.

Technical ContextAI

MAXHUB Pivot is a client application for MAXHUB collaboration displays and conference room systems, commonly deployed in corporate and industrial environments. This vulnerability stems from CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), specifically the embedding of a static AES encryption key directly in the application binary. The affected component uses MQTT protocol for device enrollment and tenant management. CPE identifier confirms the vulnerability exists in all versions of MAXHUB Pivot client application prior to v1.36.2 across all platforms. Hardcoded cryptographic keys violate fundamental security principles because any attacker with access to the application binary can extract the key through static analysis or reverse engineering, rendering the encryption scheme effectively useless. The MQTT enrollment mechanism lacks proper authentication controls, allowing unauthorized device registration when combined with the compromised encryption.

RemediationAI

Upgrade MAXHUB Pivot client application to version 1.36.2 or later, which addresses the hardcoded AES key vulnerability per CISA advisory ICSA-26-127-01. Download the patched version from https://www.maxhub.com/en/support/ and deploy across all MAXHUB devices and management workstations. Organizations unable to immediately patch should implement network segmentation to restrict MQTT protocol access (typically TCP port 1883/8883) to only trusted management networks, blocking external Internet access to MAXHUB infrastructure - this prevents remote exploitation but does not address insider threat scenarios. Additionally, monitor MQTT broker logs for unauthorized device enrollment attempts showing unusual quantities of connection requests or registrations from unexpected IP ranges. As a detective control, audit existing enrolled devices against authorized asset inventory to identify potentially malicious enrollments. Note that network restrictions do not prevent decryption of already-exfiltrated encrypted data if an attacker previously obtained it, so assume previously captured tenant metadata may be compromised and consider implications for phishing defense posture.

Share

CVE-2026-6411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy