CVE-2026-28255 - Vulnerability Details

Description

A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Published: 2026-03-12

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected by a use of hard‑coded credentials flaw, classified as CWE‑798. The vulnerability allows an adversary to authenticate using embedded credentials, thereby gaining unauthorized access to system functions. This can result in the disclosure of sensitive information and the takeover of user accounts, compromising confidentiality and integrity of the managed assets.

Affected Systems

The affected products are Trane Tracer Concierge, Tracer SC, and Tracer SC+. Firmware versions include Trane Tracer SC+ firmware 4.4 across service packs one through six, as well as unspecified earlier releases of Tracer SC and Tracer Concierge. Trane has released updated firmware that removes the hard‑coded credentials in these editions.

Risk and Exploitability

The CVSS score is 8.2, indicating a high severity impact, while the EPSS score is below 1%, suggesting a low likelihood of widespread exploitation at present. This vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is remote access to the device’s management interface, where the embedded credentials can be supplied, allowing an attacker to bypass authentication and obtain privileged control over the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Trane

Tracer SC

unaffected

Version	Status	Constraints
`0`	affected	< v4.4 SP7

Trane

Tracer SC+

unaffected

Version	Status	Constraints
`0`	affected	< v6.3.2310

Trane

Tracer Concierge

unaffected

Version	Status	Constraints
`0`	affected	< v6.3.2310

Configuration 1 [-]

AND

OR	cpe:2.3:o:trane:tracer_sc_firmware::::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6::::::

cpe:2.3:h:trane:tracer_sc:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:trane:tracer_sc\+_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:trane:tracer_sc\+:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:trane:tracer_concierge:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Trane

Tracer Concierge

100%

Version	Status	Scheme	Platform
`[0,v6.3.2310)`	affected	generic	—

Trane

Tracer Sc

100%

Version	Status	Scheme	Platform
`[0,v4.4 SP7)`	affected	generic	—

Trane

Tracer Sc

100%

Version	Status	Scheme	Platform
`[0,v6.3.2310)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Trane has released the following versions of Tracer SC+ for users to upgrade to: * CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.

OpenCVE Recommended Actions

Apply the latest Tracer SC+, Tracer SC, and Tracer Concierge firmware released by Trane that removes hard‑coded credentials.
Verify the firmware update by checking the system version information after installation.
Review and disable any default or unused administrative accounts that may have been left with hard‑coded credentials.
Run a vulnerability scan or audit to confirm that the credential issue is no longer present and monitor logs for any anomalous authentication attempts.

Generated by OpenCVE AI on March 27, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01

History

Fri, 27 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trane tracer Sc\+ Trane tracer Sc\+ Firmware Trane tracer Sc Firmware
CPEs		cpe:2.3:a:trane:tracer_concierge:::::::: cpe:2.3:h:trane:tracer_sc:::::::: cpe:2.3:h:trane:tracer_sc\+:::::::: cpe:2.3:o:trane:tracer_sc\+_firmware:::::::: cpe:2.3:o:trane:tracer_sc_firmware:::::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6::::::
Vendors & Products		Trane tracer Sc\+ Trane tracer Sc\+ Firmware Trane tracer Sc Firmware
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trane Trane tracer Concierge Trane tracer Sc
Vendors & Products		Trane Trane tracer Concierge Trane tracer Sc

Thu, 12 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Title		Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge
Weaknesses		CWE-798
References		https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01
Metrics		cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}`

Subscriptions

Trane Tracer Concierge Tracer Sc Tracer Sc\+ Tracer Sc\+ Firmware Tracer Sc Firmware

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-03-12T17:33:29.171Z

Updated: 2026-03-12T18:02:28.832Z

Reserved: 2026-02-25T17:06:34.954Z

Link: CVE-2026-28255

Vulnrichment

Updated: 2026-03-12T18:02:01.595Z

NVD

Status : Analyzed

Published: 2026-03-12T18:16:23.723

Modified: 2026-03-27T16:25:05.763

Link: CVE-2026-28255

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:27:12Z

Weaknesses

CWE-798

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object