Trane Tracer SC, Tracer SC+, and Tracer Concierge

Plan Patch8.1ICS-CERT ICSA-26-071-01Mar 12, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple vulnerabilities in Trane Tracer SC, SC+, and Concierge building management systems allow remote attackers without authentication to disclose sensitive information (CWE-798: hardcoded credentials; CWE-862: missing access control), execute arbitrary commands (CWE-547: improper input validation), or cause denial of service (CWE-789: integer overflow). The vulnerabilities stem from weak cryptographic practices (CWE-327) in the web interface and API. Successful exploitation could allow an attacker to access system configurations, modify HVAC setpoints, extract credentials, or crash the control application.

What this means

What could happen

An attacker with network access to these building management systems could disclose credentials and configuration data, run arbitrary commands on the device, or cause the system to stop responding, disrupting HVAC control and building operations.

Who's at risk

Building automation and HVAC control system operators using Trane Tracer SC, SC+, or Concierge platforms. These are commonly deployed in manufacturing facilities, office buildings, hospitals, and data centers to control heating, cooling, and ventilation systems.

How it could be exploited

An attacker on the network can send specially crafted requests to the web interface or API without authentication to trigger weak cryptography, integer overflow, or missing access control issues. Once exploited, the attacker can read sensitive data, execute commands, or crash the service.

Prerequisites

Network access to the Tracer SC, SC+, or Concierge device (typically port 80/443 for web interface)
Device must be reachable from the attacker's network segment (no authentication required for initial exploitation)

remotely exploitableno authentication requiredlow complexityno patch available for Tracer SCaffects building operations and climate control

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

1 pending2 EOL

ProductAffected VersionsFix Status

Tracer SC: <v4.4_SP7<v4.4 SP7No fix (EOL)

Tracer SC+: <v6.3.2310<v6.3.2310No fix (EOL)

Tracer Concierge: <v6.3.2310<v6.3.2310No fix yet

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGEnsure Tracer systems are not directly accessible from the internet; place behind firewall with explicit allow rules only from engineering workstations

HARDENINGUse VPN for all remote access to Tracer systems; ensure VPN is patched and uses strong authentication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Tracer SC+ to version 6.30.2313 or later

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Tracer SC: <v4.4_SP7, Tracer SC+: <v6.3.2310. Apply the following compensating controls:

HARDENINGFor Tracer SC (<v4.4_SP7): Isolate the device from network access and plan replacement or decommissioning, as no patch will be released

HARDENINGFor Tracer Concierge (<v6.3.2310): Contact Trane for patch availability; if unavailable, isolate from network and monitor for exploitation attempts

HARDENINGSegment building management network (where Tracer runs) from corporate business network

CVEs (5)

CVE-2026-28252 CVE-2026-28253 CVE-2026-28254 CVE-2026-28255 CVE-2026-28256

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a4c12257-9f5a-4832-9cdb-e59472be660e