CVE-2026-28254 - Vulnerability Details

Description

A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.

Published: 2026-03-12

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing authorization flaw (CWE‑862) in Trane Tracer SC, Tracer SC+, and Tracer Concierge enables an attacker without credentials to read data exposed by several device APIs, thereby compromising the confidentiality of data that should be protected and potentially facilitating further exploitation such as credential harvesting or configuration manipulation.

Affected Systems

The vulnerability affects Trane’s Tracer Concierge, Tracer SC, and Tracer SC+ products. Firmware builds of Tracer SC from version 4.4 service packs 1 through 6 are impacted, and all API endpoints in Tracer SC+ are also vulnerable. These systems typically run on HVAC control units that expose management interfaces over the local network.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation in the wild; the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires network access to the device’s exposed APIs, meaning that devices on unsecured or poorly segmented segments could be exposed to unauthenticated data disclosure. A patch is available for Tracer SC+ (v6.30.2313), but no fixed releases are publicly listed for Tracer SC or Tracer Concierge as of this advisory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Trane

Tracer SC

unaffected

Version	Status	Constraints
`0`	affected	< v4.4 SP7

Trane

Tracer SC+

unaffected

Version	Status	Constraints
`0`	affected	< v6.3.2310

Trane

Tracer Concierge

unaffected

Version	Status	Constraints
`0`	affected	< v6.3.2310

Configuration 1 [-]

AND

OR	cpe:2.3:o:trane:tracer_sc_firmware::::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6::::::

cpe:2.3:h:trane:tracer_sc:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:trane:tracer_sc\+_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:trane:tracer_sc\+:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:trane:tracer_concierge:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Trane

Tracer Concierge

100%

Version	Status	Scheme	Platform
`[0,v6.3.2310)`	affected	generic	—

Trane

Tracer Sc

100%

Version	Status	Scheme	Platform
`[0,v4.4 SP7)`	affected	generic	—

Trane

Tracer Sc

100%

Version	Status	Scheme	Platform
`[0,v6.3.2310)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Trane has released the following versions of Tracer SC+ for users to upgrade to: * CVE-2026-28254: Tracer SC+ version v6.30.2313

OpenCVE Recommended Actions

Upgrade Tracer SC+ to version v6.30.2313 as released by Trane.
Apply any future patches or updates issued for Tracer SC and Tracer Concierge to eliminate the missing authorization flaw.
Restrict network access to the Trane device APIs by implementing network segmentation or firewall rules to limit exposure to trusted management systems.

Generated by OpenCVE AI on March 27, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01

History

Fri, 27 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trane tracer Sc\+ Trane tracer Sc\+ Firmware Trane tracer Sc Firmware
CPEs		cpe:2.3:a:trane:tracer_concierge:::::::: cpe:2.3:h:trane:tracer_sc:::::::: cpe:2.3:h:trane:tracer_sc\+:::::::: cpe:2.3:o:trane:tracer_sc\+_firmware:::::::: cpe:2.3:o:trane:tracer_sc_firmware:::::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6::::::
Vendors & Products		Trane tracer Sc\+ Trane tracer Sc\+ Firmware Trane tracer Sc Firmware
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trane Trane tracer Concierge Trane tracer Sc
Vendors & Products		Trane Trane tracer Concierge Trane tracer Sc

Thu, 12 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.
Title		Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge
Weaknesses		CWE-862
References		https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}`

Subscriptions

Trane Tracer Concierge Tracer Sc Tracer Sc\+ Tracer Sc\+ Firmware Tracer Sc Firmware

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-03-12T17:29:56.723Z

Updated: 2026-03-12T19:21:04.760Z

Reserved: 2026-02-25T17:06:34.954Z

Link: CVE-2026-28254

Vulnrichment

Updated: 2026-03-12T19:20:39.349Z

NVD

Status : Analyzed

Published: 2026-03-12T18:16:23.547

Modified: 2026-03-27T16:24:39.987

Link: CVE-2026-28254

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:27:13Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object