HOMEVULNERABILITIESCVE-2026-6411
HIGH

CVE-2026-6411

CWE-327Published: May 7, 2026· Updated: May 8, 2026

7.3
CVSS v3.1
EPSS:0.03%probability of exploitation in 30 daysPercentile:7.2th

Official Description

This vulnerability, in the MAXHUB Pivot client application versions

prior to v1.36.2, may allow an attacker to obtain encrypted tenant email

addresses and related metadata from any tenant. Due to the presence of a

hardcoded AES key within the application, the encrypted data can be

decrypted, enabling access to tenant email addresses and associated

information in cleartext. Furthermore, an attacker may be able to cause a

denial-of-service condition by enrolling multiple unauthorized devices

into a tenant via MQTT, potentially disrupting tenant operations.

NVD Source

Technical Analysis

CVE-2026-6411 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityLow
IntegrityLow
AvailabilityLow
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-6411

MAXHUB Pivot Client Application
CISA Alerts· May 7, 2026

View CSAF Summary Successful exploitation of this vulnerability may enable an attacker to access tenant email addresses and associated information in cleartext or cause a denial-of-service condition. The following versions of MAXHUB Pivot client application are affected: MAXHUB Pivot client application CVSS Vendor Equipment Vulnerabilities v3 7.3 MAXHUB MAXHUB Pivot client application Use of a Broken or Risky Cryptographic Algorithm Background Critical Infrastructure Sectors: Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-6411 This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tena [xlite_meta score:73 src:CISA Alerts xlite_fp:8dd71c9c2ffc896655836ac1f29ff526331f21103df716c15c827a62876cc06b]

All References (3)

Quick Facts

CVE IDCVE-2026-6411
CVSS Score7.3 / 10
SeverityHIGH
WeaknessCWE-327
CISA KEVNo
EPSS (30d)0.03%
PublishedMay 7, 2026

Known Threat Actors

core
financial

Related CVEs (CWE-327)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-6411 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.