References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

This vulnerability, in the MAXHUB Pivot client application versions 
prior to v1.36.2, may allow an attacker to obtain encrypted tenant email
 addresses and related metadata from any tenant. Due to the presence of a
 hardcoded AES key within the application, the encrypted data can be 
decrypted, enabling access to tenant email addresses and associated 
information in cleartext. Furthermore, an attacker may be able to cause a
 denial-of-service condition by enrolling multiple unauthorized devices 
into a tenant via MQTT, potentially disrupting tenant operations.

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-327

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json

https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01

https://www.maxhub.com/en/support/