OTPulse

MAXHUB Pivot

Plan PatchCVSS 7.5ICS-CERT ICSA-25-338-02Dec 4, 2025
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

MAXHUB Pivot client application versions prior to v1.36.2 contain a vulnerability that allows an attacker to request a password reset and gain unauthorized access to user accounts. The vulnerability has a CVSS score of 7.5, requiring no authentication or user interaction and is remotely exploitable.

What this means
What could happen
An attacker can reset a user's password without authorization and log into their account, gaining access to Pivot functionality and any integrated control systems or data the account can reach.
Who's at risk
Organizations using MAXHUB Pivot for interactive displays, meeting room systems, or integrated control room environments should prioritize this patch. Any facility using Pivot client to manage or monitor operational technology systems is at risk if the application is accessible from untrusted networks.
How it could be exploited
An attacker reaches the Pivot application over the network and initiates a password reset request without needing credentials or user interaction. Once the password is reset, the attacker can log in and control or manipulate any systems the compromised account has access to.
Prerequisites
  • Network access to the Pivot client application
  • Ability to initiate password reset requests (typically requires knowing or guessing a valid username or email address)
Remotely exploitableNo authentication required for password resetLow attack complexityPassword reset allows account takeoverCould be used to pivot into control systems if Pivot integrates with industrial equipment
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
Pivot client application: <v1.36.2<v1.36.2v1.36.2+
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict network access to the Pivot application to only authorized users and networks; do not expose it to the Internet
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Pivot client application to v1.36.2 or later
HARDENINGIf remote access is required, use a VPN with multi-factor authentication rather than exposing the application directly
View full CISA ICS-CERT advisory
API: /api/v1/advisories/c1e63e0a-8b75-46ad-8ed0-6f20f2462ac5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

MAXHUB Pivot | CVSS 7.5 - OTPulse