VYPR
advisoryPublished May 9, 2026· Updated May 17, 2026· 1 source

Hardcoded Key in MAXHUB Pivot Client Exposes Tenant Data and Risks DoS

A hardcoded cryptographic key in the MAXHUB Pivot client application allows attackers to decrypt sensitive tenant data and disrupt operations via unauthorized device enrollment.

A critical security vulnerability has been identified in the MAXHUB Pivot client application, exposing tenant email addresses and creating potential for service disruption. The flaw, tracked as CVE-2026-6411, carries a CVSS base score of 7.3, indicating a high level of severity CISA.

The vulnerability stems from the use of a hardcoded AES cryptographic key within the application, classified under CWE-327: Use of a Broken or Risky Cryptographic Algorithm CISA. Because the encryption key is embedded directly in the software, an attacker can intercept encrypted data and decrypt it to access tenant email addresses and associated metadata in cleartext CISA.

Beyond data exposure, the flaw also introduces a significant operational risk. An attacker can leverage the MQTT protocol to enroll multiple unauthorized devices into a tenant environment, effectively triggering a denial-of-service (DoS) condition that disrupts normal operations CISA. The vulnerability affects all versions of the MAXHUB Pivot client application prior to v1.36.2 CISA.

The issue was discovered and reported to the vendor by researchers Malik Makkes and Yassine Bengana of Abicom Groupe OCI CISA. MAXHUB has confirmed that the vulnerability is present in its client application and has released a fix to address the underlying cryptographic weaknesses CISA.

To remediate the vulnerability, users must upgrade their MAXHUB Pivot client application to version v1.36.2 or newer CISA. The vendor has made this update available via an over-the-air (OTA) mechanism CISA. At the time of the advisory, MAXHUB reported that it was not aware of any public exploitation of this vulnerability CISA.

CISA recommends that organizations minimize the network exposure of all control system devices by isolating them from the public internet and placing them behind firewalls CISA. If remote access is required, organizations should utilize secure methods such as VPNs, while ensuring those VPNs are kept up to date CISA.

This discovery highlights the ongoing risks associated with hardcoded credentials and cryptographic keys in enterprise software. As organizations increasingly rely on interconnected client applications for management, ensuring that sensitive data is protected by robust, non-static encryption remains a critical security priority. Organizations should continue to monitor vendor support pages for further security updates CISA.

Synthesized by Vypr AI
Hardcoded Key in MAXHUB Pivot Client Exposes Tenant Data and Risks DoS · VYPR