{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28256", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-02-25T17:06:34.954Z", "datePublished": "2026-03-12T17:34:56.595Z", "dateUpdated": "2026-03-12T18:00:32.808Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T17:34:56.595Z"}, "title": "Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-547", "description": "CWE-547 Use of hard-coded, security-relevant constants", "type": "CWE"}]}], "affected": [{"vendor": "Trane", "product": "Tracer SC", "versions": [{"status": "affected", "version": "0", "lessThan": "v4.4 SP7", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer SC+", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer Concierge", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.</p>"}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01", "tags": ["government-resource"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "Trane has released the following versions of Tracer SC+ for users to upgrade to:\n\n * CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Trane has released the following versions of Tracer SC+ for users to upgrade to:</p><ul><li><span>CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.</span></li></ul>"}]}], "credits": [{"lang": "en", "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA.", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T18:00:23.718780Z", "id": "CVE-2026-28256", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T18:00:32.808Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28256", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T18:00:23.718780Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T18:00:26.773Z"}}], "cna": {"title": "Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Trane", "product": "Tracer SC", "versions": [{"status": "affected", "version": "0", "lessThan": "v4.4 SP7", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer SC+", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trane", "product": "Tracer Concierge", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.3.2310", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Trane has released the following versions of Tracer SC+ for users to upgrade to:\n\n * CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "<p>Trane has released the following versions of Tracer SC+ for users to upgrade to:</p><ul><li><span>CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.</span></li></ul>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.", "supportingMedia": [{"type": "text/html", "value": "<p>A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-547", "description": "CWE-547 Use of hard-coded, security-relevant constants"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T17:34:56.595Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28256", "state": "PUBLISHED", "dateUpdated": "2026-03-12T18:00:32.808Z", "dateReserved": "2026-02-25T17:06:34.954Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-03-12T17:34:56.595Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:trane:tracer_sc\\+_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED7923B0-A1FF-4A1E-839A-004FBE838730", "versionEndExcluding": "6.3.2310", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:trane:tracer_sc\\+:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B249F8B-02B1-45F6-886F-6AA76CBBFFFC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBD8A909-6B7C-43B6-A3A0-FD48BD3D2C18", "versionEndIncluding": "4.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1:*:*:*:*:*:*", "matchCriteriaId": "43AD695C-9ACA-4BC4-9450-54B0A3D29B54", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2:*:*:*:*:*:*", "matchCriteriaId": "B38311B5-C8E8-4677-9EB5-1FF5A4913ED8", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3:*:*:*:*:*:*", "matchCriteriaId": "85891146-8A17-4745-8909-97F0999E7973", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4:*:*:*:*:*:*", "matchCriteriaId": "9F2D9C28-3AA6-44BF-A10A-E07B291B9A7E", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5:*:*:*:*:*:*", "matchCriteriaId": "55728992-1027-4127-9373-B387D895135A", "vulnerable": true}, {"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6:*:*:*:*:*:*", "matchCriteriaId": "1E07D9C2-BD89-4819-8F51-C4E8F3D46678", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:trane:tracer_sc:*:*:*:*:*:*:*:*", "matchCriteriaId": "8588A8A1-256D-4A24-9911-B0EE946F34EE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trane:tracer_concierge:*:*:*:*:*:*:*:*", "matchCriteriaId": "E29DD1A7-FA40-440B-8B63-10939823234B", "versionEndExcluding": "6.3.2310", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts."}, {"lang": "es", "value": "Una vulnerabilidad de Uso de constantes codificadas de forma r\u00edgida y relevantes para la seguridad en Trane Tracer SC, Tracer SC+ y Tracer Concierge podr\u00eda permitir a un atacante divulgar informaci\u00f3n sensible y tomar el control de cuentas."}], "id": "CVE-2026-28256", "lastModified": "2026-03-27T16:25:57.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-03-12T18:16:23.917", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-547"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v6.3.2310)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer Concierge", "source": "cna", "vendor": "Trane"}, "product": "tracer_concierge", "vendor": "trane"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v4.4 SP7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer SC", "source": "cna", "vendor": "Trane"}, "product": "tracer_sc", "vendor": "trane"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v6.3.2310)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tracer SC+", "source": "cna", "vendor": "Trane"}, "product": "tracer_sc", "vendor": "trane"}], "analysis": {"en": {"generated_at": "2026-03-27T17:29:21.022359+00:00", "value": {"mitigation_remediation": ["Apply Trane\u2019s updated firmware for Tracer SC+ as released by the vendor.", "Verify that the device firmware corresponds to the patched version before deployment.", "If firmware upgrade is not immediately possible, disable the use of hard\u2011coded credentials and configure unique strong passwords for administrative accounts."], "summary": {"action": "Patch Immediately", "impact": "Use of hard\u2011coded credentials enabling disclosure of sensitive information and account takeover."}, "threat_synthesis": {"affected_systems": "The affected products are Trane Tracer Concierge, Tracer SC, and Tracer SC+. Vendor Trane has identified these products for remediation. No specific firmware or software version ranges are provided in the data, so any device running these products may be vulnerable until patched.", "description_and_impact": "The vulnerability stems from hard\u2011coded, security\u2011relevant constants embedded within Trane Tracer SC, Tracer SC+, and Tracer Concierge. These hard\u2011coded credentials can be accessed by an attacker, potentially allowing the disclosure of sensitive configuration data and the takeover of user accounts. The weakness is classified as a credential disclosure issue (CWE\u2011547), affecting confidentiality and integrity of the system. No availability impact is described.", "risk_and_exploitability": "The CVSS score is 6.9, indicating a moderate severity. The EPSS score is less than 1%, suggesting low likelihood of exploitation at present, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, the use of hard\u2011coded credentials implies that an attacker could gain access either locally or remotely if they can read the device\u2019s configuration. Exploitation would require the attacker to read the credential store and use the credentials to authenticate to the device\u2019s management interface. The attack vector is inferred based on the description, but exact details are not explicitly stated in the data."}}}}, "created": "2026-03-13T09:50:43.971278+00:00", "updated": "2026-03-27T20:27:11.709346+00:00", "vendors": ["trane", "trane$PRODUCT$tracer_concierge", "trane$PRODUCT$tracer_sc"]}