PatchSiren cyber security CVE debrief
CVE-2025-53704 MAXHUB CVE debrief
A critical authentication vulnerability exists in the MAXHUB Pivot client application where the password reset mechanism is implemented with insufficient security controls. The weakness allows unauthenticated remote attackers to bypass authentication and take over user accounts without requiring prior access or user interaction. This vulnerability is particularly severe for industrial control system environments where MAXHUB Pivot may be deployed, as account compromise could lead to unauthorized access to sensitive operational technology infrastructure. The CVSS 3.1 score of 7.5 (HIGH) reflects the network attack vector, low attack complexity, no required privileges, and no user interaction needed, with a high impact on integrity. CISA published this advisory on December 4, 2025, as ICSA-25-338-02. MAXHUB has released a patched version to address this vulnerability.
- Vendor
- MAXHUB
- Product
- Pivot client application
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-04
- Original CVE updated
- 2025-12-04
- Advisory published
- 2025-12-04
- Advisory updated
- 2025-12-04
Who should care
Organizations using MAXHUB Pivot client application for meeting room or collaboration systems, particularly those in industrial or enterprise environments where Pivot may interface with operational technology networks. Security teams responsible for identity and access management, ICS/OT security practitioners, and network administrators managing MAXHUB deployments should prioritize this patch.
Technical summary
The MAXHUB Pivot client application implements a password reset mechanism with insufficient security controls, allowing remote unauthenticated attackers to take over user accounts. The vulnerability is remotely exploitable without authentication or user interaction. CVSS 3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). CVSS 4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N). The integrity impact is rated HIGH while confidentiality and availability impacts are NONE. MAXHUB has released version 1.36.2 to remediate this vulnerability.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade MAXHUB Pivot client application to version 1.36.2 or newer immediately
- Review account access logs for unauthorized password reset attempts or suspicious account activity
- Implement network segmentation to restrict Pivot client application access to authorized administrative hosts only
- Enable multi-factor authentication for all Pivot client application accounts if supported
- Monitor for anomalous authentication patterns and failed password reset requests
- Contact MAXHUB support for additional hardening guidance specific to your deployment
- Apply CISA's ICS recommended practices for defense-in-depth security architecture
Evidence notes
The vulnerability description and remediation guidance are sourced directly from CISA's CSAF-formatted advisory. The CVSS vector confirms network accessibility and high integrity impact. Vendor fix information specifies exact patched version.
Official resources
-
CVE-2025-53704 CVE record
CVE.org
-
CVE-2025-53704 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA disclosed this vulnerability on December 4, 2025, via ICS Advisory ICSA-25-338-02. The advisory was published concurrently with CVE assignment. No known exploitation in the wild has been reported at time of disclosure.