{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28254", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-02-25T17:06:34.954Z", "datePublished": "2026-03-12T17:29:56.723Z", "dateUpdated": "2026-03-12T19:21:04.760Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T17:29:56.723Z"}, "title": "Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "Trane", "product": "Tracer SC", "versions": [{"status": "affected", "version": "0", "lessThan": "v4.4 SP7", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer SC+", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer Concierge", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.</p>"}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01", "tags": ["government-resource"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "Trane has released the following versions of Tracer SC+ for users to upgrade to:\n\n * CVE-2026-28254: Tracer SC+ version v6.30.2313", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Trane has released the following versions of Tracer SC+ for users to upgrade to:</p><ul><li>CVE-2026-28254: Tracer SC+ version v6.30.2313</li></ul>"}]}], "credits": [{"lang": "en", "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA.", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:20:27.451668Z", "id": "CVE-2026-28254", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:21:04.760Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28254", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:20:27.451668Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:20:39.349Z"}}], "cna": {"title": "Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Trane", "product": "Tracer SC", "versions": [{"status": "affected", "version": "0", "lessThan": "v4.4 SP7", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer SC+", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer Concierge", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Trane has released the following versions of Tracer SC+ for users to upgrade to:\n\n * CVE-2026-28254: Tracer SC+ version v6.30.2313", "supportingMedia": [{"type": "text/html", "value": "<p>Trane has released the following versions of Tracer SC+ for users to upgrade to:</p><ul><li>CVE-2026-28254: Tracer SC+ version v6.30.2313</li></ul>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.", "supportingMedia": [{"type": "text/html", "value": "<p>A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T17:29:56.723Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28254", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:21:04.760Z", "dateReserved": "2026-02-25T17:06:34.954Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-03-12T17:29:56.723Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBD8A909-6B7C-43B6-A3A0-FD48BD3D2C18", "versionEndIncluding": "4.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1:*:*:*:*:*:*", "matchCriteriaId": "43AD695C-9ACA-4BC4-9450-54B0A3D29B54", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2:*:*:*:*:*:*", "matchCriteriaId": "B38311B5-C8E8-4677-9EB5-1FF5A4913ED8", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3:*:*:*:*:*:*", "matchCriteriaId": "85891146-8A17-4745-8909-97F0999E7973", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4:*:*:*:*:*:*", "matchCriteriaId": "9F2D9C28-3AA6-44BF-A10A-E07B291B9A7E", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5:*:*:*:*:*:*", "matchCriteriaId": "55728992-1027-4127-9373-B387D895135A", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6:*:*:*:*:*:*", "matchCriteriaId": "1E07D9C2-BD89-4819-8F51-C4E8F3D46678", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:trane:tracer_sc:*:*:*:*:*:*:*:*", "matchCriteriaId": "8588A8A1-256D-4A24-9911-B0EE946F34EE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:trane:tracer_sc\\+_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED7923B0-A1FF-4A1E-839A-004FBE838730", "versionEndExcluding": "6.3.2310", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:trane:tracer_sc\\+:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B249F8B-02B1-45F6-886F-6AA76CBBFFFC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trane:tracer_concierge:*:*:*:*:*:*:*:*", "matchCriteriaId": "E29DD1A7-FA40-440B-8B63-10939823234B", "versionEndExcluding": "6.3.2310", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs."}, {"lang": "es", "value": "Una vulnerabilidad de autorizaci\u00f3n faltante en Trane Tracer SC, Tracer SC+ y Tracer Concierge podr\u00eda permitir a un atacante no autenticado acceder a informaci\u00f3n sensible a trav\u00e9s de APIs no protegidas."}], "id": "CVE-2026-28254", "lastModified": "2026-03-27T16:24:39.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-03-12T18:16:23.547", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v6.3.2310)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer Concierge", "source": "cna", "vendor": "Trane"}, "product": "tracer_concierge", "vendor": "trane"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v4.4 SP7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer SC", "source": "cna", "vendor": "Trane"}, "product": "tracer_sc", "vendor": "trane"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v6.3.2310)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer SC+", "source": "cna", "vendor": "Trane"}, "product": "tracer_sc", "vendor": "trane"}], "analysis": {"en": {"generated_at": "2026-03-27T17:53:03.902579+00:00", "value": {"mitigation_remediation": ["Upgrade Tracer SC+ to version\u202fv6.30.2313 as released by Trane.", "Apply any future patches or updates issued for Tracer SC and Tracer Concierge to eliminate the missing authorization flaw.", "Restrict network access to the Trane device APIs by implementing network segmentation or firewall rules to limit exposure to trusted management systems."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized sensitive information disclosure via unprotected APIs"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Trane\u2019s Tracer Concierge, Tracer SC, and Tracer SC+ products. Firmware builds of Tracer SC from version\u00a04.4 service packs\u00a01 through\u00a06 are impacted, and all API endpoints in Tracer SC+ are also vulnerable. These systems typically run on HVAC control units that expose management interfaces over the local network.", "description_and_impact": "A missing authorization flaw (CWE\u2011862) in Trane Tracer SC, Tracer SC+, and Tracer Concierge enables an attacker without credentials to read data exposed by several device APIs, thereby compromising the confidentiality of data that should be protected and potentially facilitating further exploitation such as credential harvesting or configuration manipulation.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation in the wild; the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires network access to the device\u2019s exposed APIs, meaning that devices on unsecured or poorly segmented segments could be exposed to unauthenticated data disclosure. A patch is available for Tracer SC+ (v6.30.2313), but no fixed releases are publicly listed for Tracer SC or Tracer Concierge as of this advisory."}}}}, "created": "2026-03-13T09:50:46.930634+00:00", "updated": "2026-03-27T20:27:13.561840+00:00", "vendors": ["trane", "trane$PRODUCT$tracer_concierge", "trane$PRODUCT$tracer_sc"]}