CVE-2026-6411: MAXHUB Pivot Client Hardcoded AES Key — Patch Guide

Overview of MAXHUB Pivot Vulnerabilities

A high-severity vulnerability has been identified in the MAXHUB Pivot client application, primarily affecting the confidentiality of tenant data and the availability of the platform services. According to CISA, the vulnerability tracked as CVE-2026-6411 carries a CVSS base score of 7.3. The flaw stems from the use of a broken or risky cryptographic algorithm, specifically the inclusion of a hardcoded AES key within the application binaries.

Successful exploitation allows an unauthenticated attacker to retrieve and decrypt tenant email addresses and associated metadata. Furthermore, the vulnerability facilitates a denial-of-service (DoS) condition by allowing unauthorized entities to enroll rogue devices into a tenant environment via the MQTT protocol. This dual-threat CVE impacts MAXHUB Pivot client application versions prior to v1.36.2.

Technical Analysis of CVE-2026-6411

The primary technical failure in this instance is a violation of secure coding practices regarding secret management. By embedding a static, hardcoded AES key into the client-side code, the vendor has effectively negated the security of the encryption layer. Any actor capable of reverse-engineering the application can extract this key and use it to decrypt data intercepted from the network or extracted from the application’s configuration files.

Hardcoded Cryptographic Keys and Information Disclosure

The application utilizes AES encryption to protect sensitive tenant identifiers, particularly email addresses. However, because the key is static across all installations, the ciphertext offers no practical resistance to an informed attacker. This allows for bulk harvesting of tenant information, which can later be used to facilitate targeted Phishing campaigns or broader identity-based attacks. This specific TTP highlights the risks inherent in client-side encryption when key rotation and secure storage mechanisms are absent.

MAXHUB Pivot Client Application DoS Vulnerability via MQTT

Beyond data disclosure, the vulnerability exposes the MQTT communication infrastructure used by the Pivot application. Attackers can leverage the flawed enrollment logic to register an arbitrary number of unauthorized devices to a specific tenant. This process can be automated to flood the tenant management interface, leading to a resource exhaustion state.

Security researchers should focus on detecting unauthorized MQTT device enrollment as a primary indicator of compromise. When a tenant is flooded with rogue device registrations, legitimate administrative actions may be delayed or entirely blocked, resulting in a persistent denial-of-service. This impact is particularly disruptive in large-scale deployments where centralized management of display hardware is critical for operations.

How to Mitigate CVE-2026-6411 Hardcoded AES Key

The most effective response to this threat is the immediate deployment of the patched version provided by the vendor. MAXHUB has released version v1.36.2, which addresses the hardcoded key issue and strengthens the MQTT enrollment process.

1. Deploy Over-the-Air (OTA) Updates: The remediation is currently available via the standard OTA update channel. Administrators should verify that all managed devices have successfully transitioned to version v1.36.2 or later.
2. Verify Patch Integrity: Ensure that the SOC or IT management team audits the version numbers across the fleet to confirm no legacy clients remain active.
3. Monitor MQTT Traffic: Utilize a SIEM or network monitoring tool to inspect MQTT traffic for unusual spikes in enrollment requests or connections from unknown IP ranges.

Defensive Recommendations

In addition to patching, CISA recommends several defensive measures to reduce the attack surface for industrial and IT control systems. Organizations should minimize network exposure for all control system devices and ensure they are not directly accessible from the public internet. Isolating these systems behind firewalls and utilizing Virtual Private Networks (VPNs) for remote access can provide a layered defense.

Defenders should also conduct a thorough impact analysis before and after the update to ensure that the removal of the hardcoded key does not impact existing legacy integrations. Continuous monitoring for unauthorized device registrations remains a priority for maintaining the availability of the MAXHUB Pivot environment.