Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.
AnalysisAI
Remote attackers can decrypt tenant email addresses and metadata, and trigger denial-of-service conditions in MAXHUB Pivot client versions prior to v1.36.2 via hardcoded AES encryption keys. The vulnerability (CWE-327: Broken/Risky Cryptographic Algorithm) enables complete bypass of data confidentiality controls without authentication due to embedded cryptographic secrets in the application binary. CISA ICS-CERT disclosure indicates this affects operational technology environments where MAXHUB collaboration devices are deployed. No active exploitation confirmed in CISA KEV at time of analysis, though the attack vector is trivially exploitable (AV:N/AC:L/PR:N/UI:N) once the hardcoded key is extracted via reverse engineering.
Technical ContextAI
MAXHUB Pivot is a client application for MAXHUB collaboration displays and conference room systems, commonly deployed in corporate and industrial environments. This vulnerability stems from CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), specifically the embedding of a static AES encryption key directly in the application binary. The affected component uses MQTT protocol for device enrollment and tenant management. CPE identifier confirms the vulnerability exists in all versions of MAXHUB Pivot client application prior to v1.36.2 across all platforms. Hardcoded cryptographic keys violate fundamental security principles because any attacker with access to the application binary can extract the key through static analysis or reverse engineering, rendering the encryption scheme effectively useless. The MQTT enrollment mechanism lacks proper authentication controls, allowing unauthorized device registration when combined with the compromised encryption.
RemediationAI
Upgrade MAXHUB Pivot client application to version 1.36.2 or later, which addresses the hardcoded AES key vulnerability per CISA advisory ICSA-26-127-01. Download the patched version from https://www.maxhub.com/en/support/ and deploy across all MAXHUB devices and management workstations. Organizations unable to immediately patch should implement network segmentation to restrict MQTT protocol access (typically TCP port 1883/8883) to only trusted management networks, blocking external Internet access to MAXHUB infrastructure - this prevents remote exploitation but does not address insider threat scenarios. Additionally, monitor MQTT broker logs for unauthorized device enrollment attempts showing unusual quantities of connection requests or registrations from unexpected IP ranges. As a detective control, audit existing enrolled devices against authorized asset inventory to identify potentially malicious enrollments. Note that network restrictions do not prevent decryption of already-exfiltrated encrypted data if an attacker previously obtained it, so assume previously captured tenant metadata may be compromised and consider implications for phishing defense posture.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28471
GHSA-m8jc-jjj9-hgc8