PatchSiren cyber security CVE debrief
CVE-2026-28255 Trane CVE debrief
CVE-2026-28255 is a CISA-published industrial control systems advisory for hard-coded credentials in Trane Tracer SC, Tracer SC+, and Tracer Concierge. According to the advisory, the issue could expose sensitive information and enable account takeover.
- Vendor
- Trane
- Product
- Tracer SC
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-12
- Original CVE updated
- 2026-03-12
- Advisory published
- 2026-03-12
- Advisory updated
- 2026-03-12
Who should care
OT and facilities teams running Trane Tracer SC, Tracer SC+, or Tracer Concierge; administrators responsible for building automation, HVAC, or connected cloud-managed control environments; and incident responders monitoring privileged account abuse in these systems.
Technical summary
The advisory describes a Use of Hard-coded Credentials weakness. The supplied CVSS v3.1 vector indicates network attackability with high privileges required and no user interaction. CISA’s advisory states the impact can include disclosure of sensitive information and account takeover. The advisory also includes SSVCv2 notation E:N/A:N.
Defensive priority
Medium priority for affected OT environments; higher priority where these systems are internet-reachable, centrally managed, or support sensitive building operations.
Recommended defensive actions
- Upgrade affected Trane products to the vendor-fixed versions referenced in the advisory, including Tracer SC below v4.4_SP7 and Tracer SC+ below v6.3.2310, and apply the vendor guidance for Tracer Concierge.
- Review the CISA advisory for any product-specific remediation details and confirm which deployed assets map to the affected product names.
- Inventory Trane Tracer deployments and identify any exposed management interfaces, cloud integrations, or privileged accounts that could be abused if credentials are hard-coded.
- Rotate and review privileged credentials and related account access paths where the vendor guidance allows it, especially for administrative and cloud-connected accounts.
- Monitor for unexpected account creation, login anomalies, and configuration changes on affected systems.
- Follow CISA ICS recommended practices and defense-in-depth guidance for segmentation, least privilege, and access control around OT systems.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory source item (ICSA-26-071-01) published 2026-03-12 and its linked references. The advisory text explicitly states: "A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts." The supplied source metadata also includes SSVCv2 notation E:N/A:N and a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N. No KEV entry is included in the supplied enrichment.
Official resources
-
CVE-2026-28255 CVE record
CVE.org
-
CVE-2026-28255 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSA-26-071-01 on 2026-03-12. The supplied enrichment does not mark this CVE as KEV-listed.