{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6411", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-04-15T23:14:19.539Z", "datePublished": "2026-05-07T22:25:54.959Z", "dateUpdated": "2026-05-07T22:25:54.959Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-05-07T22:25:54.959Z"}, "title": "MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm", "datePublic": "2026-05-05T21:45:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-327", "description": "CWE-327", "type": "CWE"}]}], "affected": [{"vendor": "MAXHUB", "product": "MAXHUB Pivot client application", "versions": [{"status": "affected", "version": "0", "lessThan": "1.36.2", "versionType": "custom"}, {"status": "unaffected", "version": "1.36.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "This vulnerability, in the MAXHUB Pivot client application versions \nprior to v1.36.2, may allow an attacker to obtain encrypted tenant email\n addresses and related metadata from any tenant. Due to the presence of a\n hardcoded AES key within the application, the encrypted data can be \ndecrypted, enabling access to tenant email addresses and associated \ninformation in cleartext. Furthermore, an attacker may be able to cause a\n denial-of-service condition by enrolling multiple unauthorized devices \ninto a tenant via MQTT, potentially disrupting tenant operations.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This vulnerability, in the MAXHUB Pivot client application versions \nprior to v1.36.2, may allow an attacker to obtain encrypted tenant email\n addresses and related metadata from any tenant. Due to the presence of a\n hardcoded AES key within the application, the encrypted data can be \ndecrypted, enabling access to tenant email addresses and associated \ninformation in cleartext. Furthermore, an attacker may be able to cause a\n denial-of-service condition by enrolling multiple unauthorized devices \ninto a tenant via MQTT, potentially disrupting tenant operations."}]}], "references": [{"url": "https://www.maxhub.com/en/support/"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}], "solutions": [{"lang": "en", "value": "MAXHUB recommends users upgrade the Pivot client application to v1.36.2 \nor newer. The remediation has been made available through an OTA update.\n Users running v1.36.2 or later are not affected and need only ensure \nthey continue to maintain the latest version. At this time, MAXHUB is \nnot aware of any public exploitation of this issue. For more \ninformation, see the MAXHUB support page.\n https://www.maxhub.com/en/support/", "supportingMedia": [{"type": "text/html", "base64": false, "value": "MAXHUB recommends users upgrade the Pivot client application to v1.36.2 \nor newer. The remediation has been made available through an OTA update.\n Users running v1.36.2 or later are not affected and need only ensure \nthey continue to maintain the latest version. At this time, MAXHUB is \nnot aware of any public exploitation of this issue. For more \ninformation, see the MAXHUB support page.<br><a href=\"https://www.maxhub.com/en/support/\">https://www.maxhub.com/en/support/</a>"}]}], "credits": [{"lang": "en", "value": "Malik MAKKES and Yassine BENGANA of Abicom Groupe OCI reported this vulnerability to MAXHUB.", "type": "finder"}], "source": {"advisory": "ICSA-26-127-01", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "This vulnerability, in the MAXHUB Pivot client application versions \nprior to v1.36.2, may allow an attacker to obtain encrypted tenant email\n addresses and related metadata from any tenant. Due to the presence of a\n hardcoded AES key within the application, the encrypted data can be \ndecrypted, enabling access to tenant email addresses and associated \ninformation in cleartext. Furthermore, an attacker may be able to cause a\n denial-of-service condition by enrolling multiple unauthorized devices \ninto a tenant via MQTT, potentially disrupting tenant operations."}], "id": "CVE-2026-6411", "lastModified": "2026-05-07T23:16:32.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-05-07T23:16:32.987", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.maxhub.com/en/support/"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{}