PatchSiren cyber security CVE debrief
CVE-2026-28252 Trane CVE debrief
CVE-2026-28252 is a high-severity cryptographic weakness affecting Trane Tracer SC, Tracer SC+, and Tracer Concierge. CISA states it could let an attacker bypass authentication and gain root-level access, so affected OT/building-automation environments should treat it as a priority remediation item.
- Vendor
- Trane
- Product
- Tracer SC
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-12
- Original CVE updated
- 2026-03-12
- Advisory published
- 2026-03-12
- Advisory updated
- 2026-03-12
Who should care
Facilities and building-automation teams, OT security owners, and administrators responsible for Trane Tracer SC, Tracer SC+, or Tracer Concierge deployments. Also relevant to teams managing network access, monitoring, and patching for industrial control and building management systems.
Technical summary
The advisory classifies the issue as a Use of a Broken or Risky Cryptographic Algorithm weakness and maps it to CWE-327. The security impact described by CISA is authentication bypass with root-level access to the device. The source advisory is for Trane Tracer SC, Tracer SC+, and Tracer Concierge, and it includes vendor remediation guidance for affected versions.
Defensive priority
High. Authentication bypass plus root-level access in an OT/building-control device can have immediate operational and security consequences. Prioritize validation of exposure, vendor remediation, and compensating access controls.
Recommended defensive actions
- Confirm whether any Trane Tracer SC, Tracer SC+, or Tracer Concierge systems in your environment match the affected versions listed in the advisory.
- Apply the vendor-recommended update path referenced in the CISA advisory, and verify the exact fixed version for each product before scheduling maintenance.
- Restrict management access to trusted administrative networks or jump hosts only; avoid broad reachability from user or general-purpose networks.
- Review authentication and administrative logs for unexpected logins, privilege changes, or configuration modifications on affected devices.
- Follow CISA ICS recommended practices for segmentation, defense in depth, and monitored remote access while remediation is underway.
Evidence notes
CISA’s CSAF advisory ICSA-26-071-01 (published 2026-03-12) names Trane Tracer SC, Tracer SC+, and Tracer Concierge and describes a broken-or-risky-cryptography issue that can bypass authentication and yield root-level access. The advisory references CWE-327 and provides remediation guidance, including an update note for Tracer SC+ in the remediation section. The CVE and advisory were initially published on the same date, 2026-03-12.
Official resources
-
CVE-2026-28252 CVE record
CVE.org
-
CVE-2026-28252 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CVE record on 2026-03-12 as an initial publication.