Attack Chain

1. An attacker identifies a MAXHUB Pivot client application running a version prior to v1.36.2.
2. The attacker gains access to the application’s installation directory or memory to extract the hardcoded AES key.
3. The attacker intercepts network traffic or accesses local data stores where tenant email addresses and metadata are stored in encrypted form.
4. The attacker uses the extracted AES key to decrypt the intercepted data, revealing tenant email addresses and associated information in cleartext.
5. (Optional) The attacker enrolls multiple unauthorized devices into a tenant via MQTT, leveraging the vulnerability to flood the system with requests.
6. The excessive number of enrolled devices overwhelms the tenant’s resources, leading to a denial-of-service condition.
7. Legitimate users are unable to access or use the MAXHUB Pivot client application, disrupting tenant operations.

Impact

Successful exploitation of CVE-2026-6411 allows an attacker to access sensitive tenant email addresses and associated metadata in cleartext. This information could be used for further malicious activities, such as phishing or identity theft. Furthermore, an attacker may trigger a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, which disrupts tenant operations and potentially leads to financial losses due to downtime and recovery efforts. There is no known public exploitation specifically targeting this vulnerability reported to CISA at this time.

Recommendation

• Upgrade the MAXHUB Pivot client application to version v1.36.2 or newer to remediate CVE-2026-6411, as recommended by MAXHUB in their advisory.
• Implement network segmentation to minimize the exposure of MAXHUB Pivot client application instances to potential attackers, as per CISA’s recommended practices.
• Deploy the Sigma rule “Detect MAXHUB Pivot Client Application Hardcoded AES Key Usage” to detect potential exploitation attempts by monitoring for suspicious decryption activities.