Search criteria
2 vulnerabilities by MAXHUB
CVE-2026-6411 (GCVE-0-2026-6411)
Vulnerability from cvelistv5 – Published: 2026-05-07 22:25 – Updated: 2026-05-08 13:06
VLAI
Title
MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm
Summary
This vulnerability, in the MAXHUB Pivot client application versions
prior to v1.36.2, may allow an attacker to obtain encrypted tenant email
addresses and related metadata from any tenant. Due to the presence of a
hardcoded AES key within the application, the encrypted data can be
decrypted, enabling access to tenant email addresses and associated
information in cleartext. Furthermore, an attacker may be able to cause a
denial-of-service condition by enrolling multiple unauthorized devices
into a tenant via MQTT, potentially disrupting tenant operations.
Severity
7.3 (High)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MAXHUB | MAXHUB Pivot client application |
Affected:
0 , < 1.36.2
(custom)
Unaffected: 1.36.2 |
Date Public
2026-05-05 21:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T13:05:50.323897Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:06:12.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MAXHUB Pivot client application",
"vendor": "MAXHUB",
"versions": [
{
"lessThan": "1.36.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.36.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Malik MAKKES and Yassine BENGANA of Abicom Groupe OCI reported this vulnerability to MAXHUB."
}
],
"datePublic": "2026-05-05T21:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability, in the MAXHUB Pivot client application versions \nprior to v1.36.2, may allow an attacker to obtain encrypted tenant email\n addresses and related metadata from any tenant. Due to the presence of a\n hardcoded AES key within the application, the encrypted data can be \ndecrypted, enabling access to tenant email addresses and associated \ninformation in cleartext. Furthermore, an attacker may be able to cause a\n denial-of-service condition by enrolling multiple unauthorized devices \ninto a tenant via MQTT, potentially disrupting tenant operations."
}
],
"value": "This vulnerability, in the MAXHUB Pivot client application versions \nprior to v1.36.2, may allow an attacker to obtain encrypted tenant email\n addresses and related metadata from any tenant. Due to the presence of a\n hardcoded AES key within the application, the encrypted data can be \ndecrypted, enabling access to tenant email addresses and associated \ninformation in cleartext. Furthermore, an attacker may be able to cause a\n denial-of-service condition by enrolling multiple unauthorized devices \ninto a tenant via MQTT, potentially disrupting tenant operations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T22:25:54.959Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.maxhub.com/en/support/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MAXHUB recommends users upgrade the Pivot client application to v1.36.2 \nor newer. The remediation has been made available through an OTA update.\n Users running v1.36.2 or later are not affected and need only ensure \nthey continue to maintain the latest version. At this time, MAXHUB is \nnot aware of any public exploitation of this issue. For more \ninformation, see the MAXHUB support page.\u003cbr\u003e\u003ca href=\"https://www.maxhub.com/en/support/\"\u003ehttps://www.maxhub.com/en/support/\u003c/a\u003e"
}
],
"value": "MAXHUB recommends users upgrade the Pivot client application to v1.36.2 \nor newer. The remediation has been made available through an OTA update.\n Users running v1.36.2 or later are not affected and need only ensure \nthey continue to maintain the latest version. At this time, MAXHUB is \nnot aware of any public exploitation of this issue. For more \ninformation, see the MAXHUB support page.\n https://www.maxhub.com/en/support/"
}
],
"source": {
"advisory": "ICSA-26-127-01",
"discovery": "EXTERNAL"
},
"title": "MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-6411",
"datePublished": "2026-05-07T22:25:54.959Z",
"dateReserved": "2026-04-15T23:14:19.539Z",
"dateUpdated": "2026-05-08T13:06:12.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53704 (GCVE-0-2025-53704)
Vulnerability from cvelistv5 – Published: 2025-12-04 21:44 – Updated: 2025-12-05 19:21
VLAI
Title
MAXHUB Pivot Weak Password Recovery Mechanism for Forgotten Password
Summary
The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account.
Severity
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MAXHUB | Pivot client application |
Affected:
0 , < 1.36.2
(custom)
Unaffected: 1.36.2 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T19:21:05.023674Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T19:21:16.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pivot client application",
"vendor": "MAXHUB",
"versions": [
{
"lessThan": "1.36.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.36.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Malik MAKKES of Abicom Groupe OCI reported this vulnerability to MAXHUB."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account.\u003c/span\u003e"
}
],
"value": "The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T21:44:06.466Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.maxhub.com/en/support/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-02"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-02.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMAXHUB recommends users to upgrade the Pivot client application to v1.36.2 or newer. For more information, see the \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.maxhub.com/en/support/\"\u003eMAXHUB support page.\u003c/a\u003e\n\n\u003cbr\u003e"
}
],
"value": "MAXHUB recommends users to upgrade the Pivot client application to v1.36.2 or newer. For more information, see the MAXHUB support page. https://www.maxhub.com/en/support/"
}
],
"source": {
"advisory": "ICSA-25-338-02",
"discovery": "UNKNOWN"
},
"title": "MAXHUB Pivot Weak Password Recovery Mechanism for Forgotten Password",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53704",
"datePublished": "2025-12-04T21:44:06.466Z",
"dateReserved": "2025-07-30T19:03:10.106Z",
"dateUpdated": "2025-12-05T19:21:16.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}