Trane Tracer
Act Now9.9ICS-CERT ICSA-21-266-02Sep 23, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A code injection vulnerability in Trane Tracer building control systems allows an authenticated user to execute arbitrary code on affected controllers. The vulnerability exists in Tracer Concierge (all versions before 5.5 SP3), Tracer SC (all versions before 4.4 SP7), and Tracer SC+ (all versions before 5.5 SP3). Successful exploitation could give an attacker full control over HVAC and environmental management functions. Trane has released firmware patches for all affected products and recommends isolating controllers from the business network, restricting access, implementing strong authentication, and migrating legacy Tracer SC systems to Tracer SC+.
What this means
What could happen
An authenticated attacker could execute arbitrary code on Trane building controls, potentially allowing them to modify HVAC setpoints, disable environmental controls, or disrupt facility operations.
Who's at risk
Building facilities managers and HVAC technicians responsible for Trane Tracer building control systems. This affects any organization running Tracer Concierge, Tracer SC, or Tracer SC+ controllers in their facilities, including government buildings, hospitals, data centers, universities, and commercial office spaces.
How it could be exploited
An attacker with valid login credentials for the Tracer controller could upload or execute malicious code via the controller's web interface or management functions. This requires network access to the controller and a valid user account.
Prerequisites
- Network access to Tracer controller management interface (typically port 80/443)
- Valid user credentials for the Tracer controller
- Controller must be reachable from attacker's network location
Requires authentication but authenticated users are often internal staff or contractorsLow complexity attack requiring only valid credentialsHigh CVSS score (9.9)Tracer SC is end-of-life with no patches planned after December 31, 2022Affects building safety and environmental control systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Tracer Concierge: All< 5.5 SP35.5 SP3
Tracer SC: All< 4.4 SP75.5 SP3
Tracer SC+: All< 5.5 SP35.5 SP3
Remediation & Mitigation
0/9
Do now
0/4HARDENINGIsolate Tracer controllers from the business network and Internet using firewall rules with no exposed inbound ports
HARDENINGRestrict physical and network access to Tracer controllers to authorized personnel only
HARDENINGEnforce unique, strong passwords for all Tracer controller user accounts and prohibit credential sharing
WORKAROUNDUse Trane Connect Remote Access or equivalent secure VPN solution if remote access to controllers is required
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Tracer Concierge to firmware version 5.5 SP3 or later
HOTFIXUpgrade Tracer SC to firmware version 4.4 SP7 or later
HOTFIXUpgrade Tracer SC+ to firmware version 5.5 SP3 or later
Long-term hardening
0/2HARDENINGImplement network segmentation using VLANs to separate building controls from other networked systems
HARDENINGMigrate Tracer SC controllers to Tracer SC+ before December 31, 2022 end-of-life date
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0ebc74a5-e063-4757-a2d0-2d8d216d2899