Trane Tracer SC, Tracer SC+, and Tracer Concierge

Plan PatchCVSS 8.1ICS-CERT ICSA-26-071-01Mar 12, 2026

TraneManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Trane Tracer SC, Tracer SC+, and Tracer Concierge building automation systems contain multiple vulnerabilities (CVE-2026-28252, CVE-2026-28253, CVE-2026-28254) related to weak cryptography (CWE-327), improper input validation (CWE-789), missing authorization (CWE-862), hardcoded credentials (CWE-798), and lack of input bounds checking (CWE-547). Successful exploitation could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service. Tracer SC (all versions below 4.4_SP7) will not receive a vendor patch. Tracer SC+ can be patched to version 6.30.2313. Tracer Concierge has no known fix available.

What this means

What could happen

An attacker with network access to a Trane building automation system could execute arbitrary commands, leak sensitive configuration or credential data, or crash the system, disrupting climate control and facility management operations.

Who's at risk

Trane Tracer SC, Tracer SC+, and Tracer Concierge building automation control systems are affected. This impacts any organization running these systems in manufacturing facilities, office buildings, data centers, or other commercial spaces to manage heating, cooling, ventilation, and facility operations. Vulnerability is highest for older Tracer SC installations where no patch will be released.

How it could be exploited

An attacker with network access to the Tracer SC/SC+/Concierge device would exploit one of the underlying flaws (weak cryptography, improper input validation, missing authentication, or hardcoded credentials) to bypass security controls, gain command execution, or extract sensitive data. The high CVSS and specific CWEs (authentication bypass, buffer overflow, hardcoded secrets) suggest this could be done with network access alone, without user interaction.

Prerequisites

Network access to the Tracer SC/SC+/Concierge device on port 80 or 443 (typical for web-based building automation)
No authentication may be required (CWE-862 suggests missing authorization checks)

Remotely exploitable from networkNo authentication required (based on CWE-862)Low to medium complexity attackNo patch available for Tracer SC and Tracer ConciergeAffects facility operations and safety-critical climate control

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

1 pending2 EOL

ProductAffected VersionsFix Status

Tracer SC: <v4.4_SP7<v4.4 SP7No fix (EOL)

Tracer SC+: <v6.3.2310<v6.3.2310No fix (EOL)

Tracer Concierge: <v6.3.2310<v6.3.2310No fix yet

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGRestrict network access to the Tracer devices from untrusted networks; do not expose the device directly to the internet

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXFor Tracer SC+ systems: update to version 6.30.2313 or later for CVE-2026-28252, CVE-2026-28253, and CVE-2026-28254

WORKAROUNDFor Tracer SC (<v4.4_SP7): plan end-of-life replacement, as vendor will not provide patches; until replacement occurs, apply compensating network controls

WORKAROUNDFor Tracer Concierge: determine alternative deployment or replacement plan, as no patch is available from Trane

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Tracer SC: <v4.4_SP7, Tracer SC+: <v6.3.2310. Apply the following compensating controls:

HARDENINGPlace Tracer SC/SC+/Concierge systems behind a firewall and isolate them from business networks on a dedicated building automation or OT network

HARDENINGIf remote access to Tracer devices is required, mandate VPN connections and ensure VPN software is kept current with security updates

CVEs (5)

CVE-2026-28252 CVE-2026-28254 CVE-2026-28256 CVE-2026-28253 CVE-2026-28255

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a4c12257-9f5a-4832-9cdb-e59472be660e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.