PatchSiren cyber security CVE debrief
CVE-2026-28253 Trane CVE debrief
CVE-2026-28253 is a high-severity OT/ICS denial-of-service issue in Trane Tracer SC, Tracer SC+, and Tracer Concierge. According to the CISA advisory, an unauthenticated attacker could trigger a memory allocation path with an excessive size value and disrupt service availability. The issue is publicly disclosed through CISA and the CVE record; no KEV listing was provided in the supplied data.
- Vendor
- Trane
- Product
- Tracer SC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-12
- Original CVE updated
- 2026-03-12
- Advisory published
- 2026-03-12
- Advisory updated
- 2026-03-12
Who should care
OT operators, facility/building automation teams, and security teams responsible for Trane Tracer deployments should prioritize this advisory, especially where systems are reachable from untrusted networks or shared operational segments.
Technical summary
The source describes a Memory Allocation with Excessive Size Value vulnerability. In practical terms, a request can drive the software into an oversized allocation path and lead to denial of service. The advisory states the attacker does not need authentication. The supplied CSAF lists affected versions as Tracer SC < v4.4_SP7, Tracer SC+ < v6.3.2310, and Tracer Concierge, and also includes vendor remediation guidance for Tracer SC+; verify the exact fixed build against the linked advisory before change control.
Defensive priority
High
Recommended defensive actions
- Confirm whether any Trane Tracer SC, Tracer SC+, or Tracer Concierge systems are exposed outside tightly controlled OT networks.
- Apply the vendor-released fixed version referenced in the CISA CSAF advisory, following site change-management procedures.
- Restrict network access to affected devices with segmentation, allowlisting, and management-plane controls.
- Monitor for service instability, repeated restarts, or unexplained availability loss on affected systems.
- Review backups, recovery procedures, and operational fallback plans so a denial-of-service event can be restored quickly.
- Track the linked CISA advisory and CVE record for any updates or corrected remediation details.
Evidence notes
This debrief is based only on the supplied CISA CSAF source, the official CVE record link, and the official CISA advisory links. The source was published and modified on 2026-03-12T06:00:00.000Z. The advisory states that an unauthenticated attacker could cause a denial-of-service condition. The supplied enrichment does not indicate KEV inclusion. The vendor metadata in the prompt is marked low confidence, but the authoritative source names Trane. The source also contains a remediation line naming Tracer SC+ v6.30.2313; operators should verify the intended fixed build against the advisory before deployment.
Official resources
-
CVE-2026-28253 CVE record
CVE.org
-
CVE-2026-28253 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICS Advisory ICSA-26-071-01 and published with CVE-2026-28253 on 2026-03-12T06:00:00.000Z.