Maxhub Pivot Client Application
Monthly
Remote attackers can decrypt tenant email addresses and metadata, and trigger denial-of-service conditions in MAXHUB Pivot client versions prior to v1.36.2 via hardcoded AES encryption keys. The vulnerability (CWE-327: Broken/Risky Cryptographic Algorithm) enables complete bypass of data confidentiality controls without authentication due to embedded cryptographic secrets in the application binary. CISA ICS-CERT disclosure indicates this affects operational technology environments where MAXHUB collaboration devices are deployed. No active exploitation confirmed in CISA KEV at time of analysis, though the attack vector is trivially exploitable (AV:N/AC:L/PR:N/UI:N) once the hardcoded key is extracted via reverse engineering.
Remote attackers can decrypt tenant email addresses and metadata, and trigger denial-of-service conditions in MAXHUB Pivot client versions prior to v1.36.2 via hardcoded AES encryption keys. The vulnerability (CWE-327: Broken/Risky Cryptographic Algorithm) enables complete bypass of data confidentiality controls without authentication due to embedded cryptographic secrets in the application binary. CISA ICS-CERT disclosure indicates this affects operational technology environments where MAXHUB collaboration devices are deployed. No active exploitation confirmed in CISA KEV at time of analysis, though the attack vector is trivially exploitable (AV:N/AC:L/PR:N/UI:N) once the hardcoded key is extracted via reverse engineering.