MAXHUB Pivot Client Application Hardcoded AES Key Vulnerability Allowing Email Metadata Access and Potential Denial-of-Service
Vulnerability
A vulnerability exists in the MAXHUB Pivot client application, affecting versions prior to 1.36.2. The issue arises from a hardcoded AES key, which allows an attacker to decrypt encrypted tenant email addresses and related metadata, accessing this information in cleartext. Additionally, the vulnerability could be exploited to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, disrupting tenant operations.
Impact
Exploitation of this vulnerability could lead to unauthorized access to decrypted tenant email addresses and associated metadata, or cause a denial-of-service condition by disrupting tenant operations through unauthorized device enrollment.
Remediation
Users are advised to upgrade the MAXHUB Pivot client application to version 1.36.2 or newer. The update is available through an over-the-air (OTA) update. For more information, visit the MAXHUB support page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.