CVE-2026-6411

MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm

CVSS 7.3 HIGHEPSS 0.2%CWE-327

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

07 may 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Productos afectados

MAXHUB · MAXHUB Pivot client application

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01 https://www.maxhub.com/en/support/