{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28252", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-02-25T17:06:34.954Z", "datePublished": "2026-03-12T17:24:04.256Z", "dateUpdated": "2026-03-13T16:26:13.627Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T17:54:58.775Z"}, "title": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm", "type": "CWE"}]}], "affected": [{"vendor": "Trane", "product": "Tracer SC", "versions": [{"status": "affected", "version": "0", "lessThan": "v4.4 SP7", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer SC+", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer Concierge", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.</p><br>"}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01", "tags": ["government-resource"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.2, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "Trane has released the following versions of Tracer SC+ for users to upgrade to:\n\n * CVE-2026-28252: Tracer SC+ version v6.30.2313", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Trane has released the following versions of Tracer SC+ for users to upgrade to:</p><ul><li>CVE-2026-28252: Tracer SC+ version v6.30.2313<br></li></ul>"}]}], "credits": [{"lang": "en", "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA.", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:26:05.382110Z", "id": "CVE-2026-28252", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:26:13.627Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28252", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T16:26:05.382110Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:26:10.126Z"}}], "cna": {"title": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Trane", "product": "Tracer SC", "versions": [{"status": "affected", "version": "0", "lessThan": "v4.4 SP7", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer SC+", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer Concierge", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Trane has released the following versions of Tracer SC+ for users to upgrade to:\n\n * CVE-2026-28252: Tracer SC+ version v6.30.2313", "supportingMedia": [{"type": "text/html", "value": "<p>Trane has released the following versions of Tracer SC+ for users to upgrade to:</p><ul><li>CVE-2026-28252: Tracer SC+ version v6.30.2313<br></li></ul>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.", "supportingMedia": [{"type": "text/html", "value": "<p>A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T17:54:58.775Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28252", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:26:13.627Z", "dateReserved": "2026-02-25T17:06:34.954Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-03-12T17:24:04.256Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBD8A909-6B7C-43B6-A3A0-FD48BD3D2C18", "versionEndIncluding": "4.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1:*:*:*:*:*:*", "matchCriteriaId": "43AD695C-9ACA-4BC4-9450-54B0A3D29B54", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2:*:*:*:*:*:*", "matchCriteriaId": "B38311B5-C8E8-4677-9EB5-1FF5A4913ED8", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3:*:*:*:*:*:*", "matchCriteriaId": "85891146-8A17-4745-8909-97F0999E7973", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4:*:*:*:*:*:*", "matchCriteriaId": "9F2D9C28-3AA6-44BF-A10A-E07B291B9A7E", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5:*:*:*:*:*:*", "matchCriteriaId": "55728992-1027-4127-9373-B387D895135A", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6:*:*:*:*:*:*", "matchCriteriaId": "1E07D9C2-BD89-4819-8F51-C4E8F3D46678", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:trane:tracer_sc:*:*:*:*:*:*:*:*", "matchCriteriaId": "8588A8A1-256D-4A24-9911-B0EE946F34EE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:trane:tracer_sc\\+_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED7923B0-A1FF-4A1E-839A-004FBE838730", "versionEndExcluding": "6.3.2310", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:trane:tracer_sc\\+:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B249F8B-02B1-45F6-886F-6AA76CBBFFFC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trane:tracer_concierge:*:*:*:*:*:*:*:*", "matchCriteriaId": "E29DD1A7-FA40-440B-8B63-10939823234B", "versionEndExcluding": "6.3.2310", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device."}, {"lang": "es", "value": "Una vulnerabilidad de uso de algoritmo criptogr\u00e1fico roto o arriesgado en Trane Tracer SC, Tracer SC+ y Tracer Concierge podr\u00eda permitir a un atacante eludir la autenticaci\u00f3n y obtener acceso a nivel de root al dispositivo."}], "id": "CVE-2026-28252", "lastModified": "2026-03-27T16:22:41.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-03-12T18:16:23.190", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v6.3.2310)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer Concierge", "source": "cna", "vendor": "Trane"}, "product": "tracer_concierge", "vendor": "trane"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v4.4 SP7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer SC", "source": "cna", "vendor": "Trane"}, "product": "tracer_sc", "vendor": "trane"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v6.3.2310)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer SC+", "source": "cna", "vendor": "Trane"}, "product": "tracer_sc", "vendor": "trane"}], "analysis": {"en": {"generated_at": "2026-03-27T17:30:42.007670+00:00", "value": {"mitigation_remediation": ["Upgrade Tracer SC+ to the vendor\u2011supplied version v6.30.2313 following the official release notes. ", "If an upgrade is temporarily unavailable, isolate the device from the network and limit exposure by firewalling or VLAN segmentation. ", "Audit authentication logs for anomalous access attempts and enforce strong authentication policies. ", "Consider disabling any unnecessary remote management protocols and apply additional device hardening guidelines that Trane recommends. "], "summary": {"action": "Patch Immediately", "impact": "Root-level access through authentication bypass"}, "threat_synthesis": {"affected_systems": "The affected products are Trane Tracer Concierge and Trane Tracer SC family, including Tracer SC+, as identified by the CNA. While the description does not list specific model or firmware numbers, Trane has released an updated Tracer SC+ version (v6.30.2313) that addresses the issue. Earlier firmware revisions, such as the 4.4 service packs and other Tracer SC firmware variants, are presumed vulnerable until a patch is applied. System administrators should verify the exact hardware model and firmware version against the vendor\u2019s advisory.", "description_and_impact": "A weakened cryptographic algorithm is used in the authentication process of Trane Tracer SC, Tracer SC+, and Tracer Concierge. The flaw allows an attacker to bypass authentication, thereby granting full root privileges on the device. The vulnerability is classified under CWE\u2011327 and can compromise confidentiality, integrity, and availability of the control system. Once compromised, an attacker could alter or disable device functions, leading to safety risks and potential denial of service for critical HVAC operations.", "risk_and_exploitability": "The CVSS score for this vulnerability is 9.2, indicating a high severity. EPSS indicates an exploitation probability of less than 1\u202f%, and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation likelihood. Nevertheless, the attack vector is inferred to be remote over the network, since authentication is typically performed via network connections to the device. An attacker who successfully exploits the flaw gains unrestricted root control, making this a critical risk for any connected control environment."}}}}, "created": "2026-03-13T09:50:50.817845+00:00", "updated": "2026-03-27T20:27:15.717201+00:00", "vendors": ["trane", "trane$PRODUCT$tracer_concierge", "trane$PRODUCT$tracer_sc"]}