{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28255", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-02-25T17:06:34.954Z", "datePublished": "2026-03-12T17:33:29.171Z", "dateUpdated": "2026-03-12T18:02:28.832Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T17:33:29.171Z"}, "title": "Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "type": "CWE"}]}], "affected": [{"vendor": "Trane", "product": "Tracer SC", "versions": [{"status": "affected", "version": "0", "lessThan": "v4.4 SP7", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer SC+", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer Concierge", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.</p>"}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01", "tags": ["government-resource"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "Trane has released the following versions of Tracer SC+ for users to upgrade to:\n\n * CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Trane has released the following versions of Tracer SC+ for users to upgrade to:</p><ul><li><span>CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.</span></li></ul>"}]}], "credits": [{"lang": "en", "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA.", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T18:01:57.727415Z", "id": "CVE-2026-28255", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T18:02:28.832Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28255", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T18:01:57.727415Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T18:02:01.595Z"}}], "cna": {"title": "Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Trane", "product": "Tracer SC", "versions": [{"status": "affected", "version": "0", "lessThan": "v4.4 SP7", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer SC+", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer Concierge", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Trane has released the following versions of Tracer SC+ for users to upgrade to:\n\n * CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "<p>Trane has released the following versions of Tracer SC+ for users to upgrade to:</p><ul><li><span>CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.</span></li></ul>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.", "supportingMedia": [{"type": "text/html", "value": "<p>A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T17:33:29.171Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28255", "state": "PUBLISHED", "dateUpdated": "2026-03-12T18:02:28.832Z", "dateReserved": "2026-02-25T17:06:34.954Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-03-12T17:33:29.171Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBD8A909-6B7C-43B6-A3A0-FD48BD3D2C18", "versionEndIncluding": "4.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1:*:*:*:*:*:*", "matchCriteriaId": "43AD695C-9ACA-4BC4-9450-54B0A3D29B54", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2:*:*:*:*:*:*", "matchCriteriaId": "B38311B5-C8E8-4677-9EB5-1FF5A4913ED8", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3:*:*:*:*:*:*", "matchCriteriaId": "85891146-8A17-4745-8909-97F0999E7973", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4:*:*:*:*:*:*", "matchCriteriaId": "9F2D9C28-3AA6-44BF-A10A-E07B291B9A7E", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5:*:*:*:*:*:*", "matchCriteriaId": "55728992-1027-4127-9373-B387D895135A", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6:*:*:*:*:*:*", "matchCriteriaId": "1E07D9C2-BD89-4819-8F51-C4E8F3D46678", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:trane:tracer_sc:*:*:*:*:*:*:*:*", "matchCriteriaId": "8588A8A1-256D-4A24-9911-B0EE946F34EE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:trane:tracer_sc\\+_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED7923B0-A1FF-4A1E-839A-004FBE838730", "versionEndExcluding": "6.3.2310", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:trane:tracer_sc\\+:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B249F8B-02B1-45F6-886F-6AA76CBBFFFC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trane:tracer_concierge:*:*:*:*:*:*:*:*", "matchCriteriaId": "E29DD1A7-FA40-440B-8B63-10939823234B", "versionEndExcluding": "6.3.2310", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts."}, {"lang": "es", "value": "Una vulnerabilidad de uso de credenciales codificadas de forma r\u00edgida en Trane Tracer SC, Tracer SC+ y Tracer Concierge podr\u00eda permitir a un atacante divulgar informaci\u00f3n sensible y tomar el control de cuentas."}], "id": "CVE-2026-28255", "lastModified": "2026-03-27T16:25:05.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-03-12T18:16:23.723", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v6.3.2310)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer Concierge", "source": "cna", "vendor": "Trane"}, "product": "tracer_concierge", "vendor": "trane"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v4.4 SP7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer SC", "source": "cna", "vendor": "Trane"}, "product": "tracer_sc", "vendor": "trane"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v6.3.2310)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer SC+", "source": "cna", "vendor": "Trane"}, "product": "tracer_sc", "vendor": "trane"}], "analysis": {"en": {"generated_at": "2026-03-27T17:29:44.372736+00:00", "value": {"mitigation_remediation": ["Apply the latest Tracer SC+, Tracer SC, and Tracer Concierge firmware released by Trane that removes hard\u2011coded credentials.", "Verify the firmware update by checking the system version information after installation.", "Review and disable any default or unused administrative accounts that may have been left with hard\u2011coded credentials.", "Run a vulnerability scan or audit to confirm that the credential issue is no longer present and monitor logs for any anomalous authentication attempts."], "summary": {"action": "Upgrade", "impact": "Account Takeover"}, "threat_synthesis": {"affected_systems": "The affected products are Trane Tracer Concierge, Tracer SC, and Tracer SC+. Firmware versions include Trane Tracer SC+ firmware 4.4 across service packs one through six, as well as unspecified earlier releases of Tracer SC and Tracer Concierge. Trane has released updated firmware that removes the hard\u2011coded credentials in these editions.", "description_and_impact": "Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected by a use of hard\u2011coded credentials flaw, classified as CWE\u2011798. The vulnerability allows an adversary to authenticate using embedded credentials, thereby gaining unauthorized access to system functions. This can result in the disclosure of sensitive information and the takeover of user accounts, compromising confidentiality and integrity of the managed assets.", "risk_and_exploitability": "The CVSS score is 8.2, indicating a high severity impact, while the EPSS score is below 1%, suggesting a low likelihood of widespread exploitation at present. This vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is remote access to the device\u2019s management interface, where the embedded credentials can be supplied, allowing an attacker to bypass authentication and obtain privileged control over the system."}}}}, "created": "2026-03-13T09:50:45.342657+00:00", "updated": "2026-03-27T20:27:12.641974+00:00", "vendors": ["trane", "trane$PRODUCT$tracer_concierge", "trane$PRODUCT$tracer_sc"]}