Description
A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Published: 2026-03-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Use of hard‑coded credentials enabling disclosure of sensitive information and account takeover.
Action: Patch Immediately
AI Analysis

Impact

The vulnerability stems from hard‑coded, security‑relevant constants embedded within Trane Tracer SC, Tracer SC+, and Tracer Concierge. These hard‑coded credentials can be accessed by an attacker, potentially allowing the disclosure of sensitive configuration data and the takeover of user accounts. The weakness is classified as a credential disclosure issue (CWE‑547), affecting confidentiality and integrity of the system. No availability impact is described.

Affected Systems

The affected products are Trane Tracer Concierge, Tracer SC, and Tracer SC+. Vendor Trane has identified these products for remediation. No specific firmware or software version ranges are provided in the data, so any device running these products may be vulnerable until patched.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate severity. The EPSS score is less than 1%, suggesting low likelihood of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. However, the use of hard‑coded credentials implies that an attacker could gain access either locally or remotely if they can read the device’s configuration. Exploitation would require the attacker to read the credential store and use the credentials to authenticate to the device’s management interface. The attack vector is inferred based on the description, but exact details are not explicitly stated in the data.

Generated by OpenCVE AI on March 27, 2026 at 17:29 UTC.

Remediation

Vendor Solution

Trane has released the following versions of Tracer SC+ for users to upgrade to: * CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.

OpenCVE Recommended Actions

  • Apply Trane’s updated firmware for Tracer SC+ as released by the vendor.
  • Verify that the device firmware corresponds to the patched version before deployment.
  • If firmware upgrade is not immediately possible, disable the use of hard‑coded credentials and configure unique strong passwords for administrative accounts.

Generated by OpenCVE AI on March 27, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Trane tracer Sc\+
CPEs cpe:2.3:h:trane:tracer_sc\+:*:*:*:*:*:*:*:*
Vendors & Products Trane tracer Sc\+

Fri, 27 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Trane tracer Sc\+ Firmware
Trane tracer Sc Firmware
CPEs cpe:2.3:a:trane:tracer_concierge:*:*:*:*:*:*:*:*
cpe:2.3:h:trane:tracer_sc:*:*:*:*:*:*:*:*
cpe:2.3:o:trane:tracer_sc\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:trane:tracer_sc_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1:*:*:*:*:*:*
cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2:*:*:*:*:*:*
cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3:*:*:*:*:*:*
cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4:*:*:*:*:*:*
cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5:*:*:*:*:*:*
cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6:*:*:*:*:*:*
Vendors & Products Trane tracer Sc\+ Firmware
Trane tracer Sc Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Trane
Trane tracer Concierge
Trane tracer Sc
Vendors & Products Trane
Trane tracer Concierge
Trane tracer Sc

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Title Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge
Weaknesses CWE-547
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Trane Tracer Concierge Tracer Sc Tracer Sc\+ Tracer Sc\+ Firmware Tracer Sc Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-12T18:00:32.808Z

Reserved: 2026-02-25T17:06:34.954Z

Link: CVE-2026-28256

cve-icon Vulnrichment

Updated: 2026-03-12T18:00:26.773Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T18:16:23.917

Modified: 2026-03-27T16:25:57.750

Link: CVE-2026-28256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:11Z

Weaknesses