CVE-2026-28254 – Trane Tracer SC

CVSS 7.5 IMPORTANT Critical or Zero Day – Immediate Deployment

“Building control systems become business risks when attackers can bypass trust and reach sensitive functions.”

Trane patched four vulnerabilities affecting Tracer SC, Tracer SC+, and Tracer Concierge. CVE-2026-28252 has a CVSS score of 9.2, which is Critical severity. CVE-2026-28253 has a CVSS score of 8.7, which is High severity. CVE-2026-28254 has a CVSS score of 6.9, which is Medium severity. CVE-2026-28255 has a CVSS score of 8.2, which is High severity.

The issues include risky cryptography that could allow authentication bypass and root-level access, excessive memory allocation that could cause denial of service, missing authorization that could expose sensitive information through unprotected APIs, and hard-coded credentials that could enable account takeover. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.

Key Details

Affected Product
Trane Tracer Sc Firmware
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-862
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.