OTPulse
FeedAboutContact

MAXHUB Pivot

Plan Patch7.5ICS-CERT ICSA-25-338-02Dec 4, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Pivot client application contains a vulnerability that allows an attacker to request a password reset without proper authorization, potentially gaining unauthorized access to user accounts. The vulnerability affects versions prior to v1.36.2.

What this means
What could happen
An attacker could reset your account password and gain unauthorized access to your Pivot client, potentially allowing them to access sensitive collaborative workspace data or impersonate your organization's users.
Who's at risk
Organizations using MAXHUB Pivot client for collaborative workspace management, particularly those with remote or hybrid work environments where staff rely on Pivot for scheduling and coordination. Anyone managing shared resources or digital displays through Pivot should prioritize this update.
How it could be exploited
An attacker would request a password reset for a targeted Pivot account. If the reset mechanism lacks proper authorization checks, the attacker could intercept or complete the reset and take over the account without the legitimate user's knowledge.
Prerequisites
  • Network access to the Pivot client application or its backend authentication service
  • Ability to interact with the password reset mechanism
  • Knowledge of a valid target account identifier (username or email)
remotely exploitableno authentication required for password resetlow complexity attackaccount takeover risk
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
Pivot client application: <v1.36.2<v1.36.2v1.36.2 or later
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict network access to Pivot client and authentication services to authorized users only via firewall rules
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Pivot client application to v1.36.2 or newer
HARDENINGImplement VPN requirements for remote access to Pivot services
Long-term hardening
0/1
HARDENINGImplement additional account security measures such as multi-factor authentication (MFA) on Pivot accounts
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c1e63e0a-8b75-46ad-8ed0-6f20f2462ac5
MAXHUB Pivot | CVSS 7.5 - OTPulse