Trane Tracer SC, Tracer SC+, and Tracer Concierge

Summary

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.

The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:

Tracer SC
Tracer SC+
Tracer Concierge

CVSS	Vendor	Equipment	Vulnerabilities
v3 8.1	Trane	Trane Tracer SC, Tracer SC+, and Tracer Concierge	Use of a Broken or Risky Cryptographic Algorithm, Memory Allocation with Excessive Size Value, Missing Authorization, Use of Hard-coded Credentials, Use of Hard-coded, Security-relevant Constants

Background

Critical Infrastructure Sectors: Critical Manufacturing
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Ireland

Vulnerabilities

Expand All +

CVE-2026-28252

A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.

View CVE Details

Affected Products

Trane Tracer SC, Tracer SC+, and Tracer Concierge

Vendor:
Trane

Product Version:
Trane Tracer SC: <v4.4_SP7, Trane Tracer SC+: <v6.3.2310, Trane Tracer Concierge: <v6.3.2310

Product Status:
known_affected

Remediations

Vendor fix
Trane has released the following versions of Tracer SC+ for users to upgrade to:

Vendor fix
CVE-2026-28252, CVE-2026-28253, CVE-2026-28254: Tracer SC+ version v6.30.2313

Relevant CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.0	8.1	HIGH	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2026-28253

A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition.

View CVE Details

Affected Products

Trane Tracer SC, Tracer SC+, and Tracer Concierge

Vendor:
Trane

Product Version:
Trane Tracer SC: <v4.4_SP7, Trane Tracer SC+: <v6.3.2310, Trane Tracer Concierge: <v6.3.2310

Product Status:
known_affected

Remediations

Vendor fix
Trane has released the following versions of Tracer SC+ for users to upgrade to:

Vendor fix
CVE-2026-28252, CVE-2026-28253, CVE-2026-28254: Tracer SC+ version v6.30.2313

Relevant CWE: CWE-789 Memory Allocation with Excessive Size Value

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.0	7.5	HIGH	This article has been indexed from All CISA Advisories Read the original article: Trane Tracer SC, Tracer SC+, and Tracer Concierge Share this: Facebook X LinkedIn Like this: Like Loading... Related Tags: All CISA Advisories EN Post navigation ← Siemens SIMATIC Siemens Heliox EV Chargers → Search for: Pages Advertising Contact Legal and Contact information Opt-out preferences Privacy Policy Social Media Telegram Channel Recent Posts Wordfence Intelligence Weekly WordPress Vulnerability Report (March 2, 2026 to March 8, 2026) March 12, 2026 Feds Takes Down SocksEscort Proxy Network Used in Global Fraud Schemes March 12, 2026 The Prompt Injection Peril and Why AI Agents Are Your Network’s Newest Vulnerability March 12, 2026 Active Directory Flaw Enables SYSTEM Privilege Escalation March 12, 2026 AI Agent Safety Checklist March 12, 2026 US Lawmakers Move to Kill the FBI’s Warrantless Wiretap Access March 12, 2026 Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks March 12, 2026 Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays March 12, 2026 This one’s for you, Mom March 12, 2026 Apple patches Coruna exploit kit flaws for older iOS versions March 12, 2026 The Threat Within: How Intelligent Detection Prevented a Potential Internal Malware Incident March 12, 2026 Reuse, Reward: How Banks Can Safely Unlock the Value of Their Data March 12, 2026 Enzoic Expands Protection Against Dark Web Credential Exposure March 12, 2026 Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks March 12, 2026 Meta Targets 150K Accounts in Southeast Asia Scam Operation March 12, 2026 Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft March 12, 2026 Attackers Hijack Microsoft 365 Accounts Through OAuth Device Code Abuse Without Stealing Passwords March 12, 2026 From transparency to action: What the latest Microsoft email security benchmark reveals March 12, 2026 Hackers Use Cloudflare Human Check to Hide Microsoft 365 Phishing Pages March 12, 2026 Law enforcement shuts down botnet made of tens of thousands of hacked routers March 12, 2026 Copyright © 2026 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com. Manage Consent To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions. Functional Functional Always active The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. Preferences Preferences The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. Statistics Statistics The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you. Marketing Marketing The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. Manage options Manage services Manage {vendor_count} vendors Read more about these purposes View preferences {title} {title} {title}

Summary

Background

Vulnerabilities

CVE-2026-28252

Affected Products

Trane Tracer SC, Tracer SC+, and Tracer Concierge

Remediations

Metrics

CVE-2026-28253

Affected Products

Trane Tracer SC, Tracer SC+, and Tracer Concierge

Remediations

Metrics

Read the original article:

Share this:

Like this:

Related

Post navigation