CVE-2026-28252
Broken Cryptographic Algorithm in Trane Tracer Enables Root Access
Publication date: 2026-03-12
Last updated on: 2026-03-27
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trane | tracer_sc_firmware | to 4.4 (inc) |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc+_firmware | to 6.3.2310 (exc) |
| trane | tracer_concierge | to 6.3.2310 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability involves the use of a broken or risky cryptographic algorithm in Trane Tracer SC, Tracer SC+, and Tracer Concierge devices.
An attacker could exploit this weakness to bypass authentication mechanisms and gain root-level access to the affected device.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to gain unauthorized root-level access to the device.
This level of access could lead to full control over the device, potentially allowing the attacker to manipulate device functions, access sensitive data, or disrupt operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know