Team82 identified a chain of severe, highly exploitable vulnerabilities in the widely deployed Trane Tracer SC+ HVAC controller affecting up to version v5.20.1362.
The flaws include an authentication bypass (CVE-2026-28252) leading to root-level remote code execution (RCE), a pre-auth denial-of-service (CVE-2026-28253), and sensitive information disclosure (CVE-2026-28254).
Research also uncovered hardcoded global credentials (CVE-2026-28255) and security-relevant constants (CVE-2026-28256) used to decrypt sensitive configuration and backup data.
These vulnerabilities could allow an unauthenticated remote attacker to gain complete control over a critical building management system.
When we think about modern data center infrastructure, we usually picture endless rows of server racks, high-speed fiber networks, and the massive compute power driving today’s internet. But behind all of it, another critical system works nonstop to keep everything alive: the cooling infrastructure.
In these environments, cooling is just as important as computing. Data center servers generate enormous amounts of heat, and an HVAC failure is far more than a comfort issue. It can trigger thermal shutdowns, damage expensive hardware, cause major service disruptions, and lead to millions of dollars in losses. Because these systems directly control the physical environment of critical facilities, they have become highly sensitive cyber-physical assets. In many ways, they are the digital brains behind the physical stability of the data center.
Recently, Team82 researched Trane Tracer SC+, a widely deployed heating, ventilation, and air conditioning (HVAC) controller used across data centers and other critical environments worldwide. A chain of severe vulnerabilities was uncovered buried deep within the device’s architecture.
The vulnerabilities affected Trane Tracer SC+ up to version v6.2. The vulnerabilities are highly exploitable and, if weaponized, could allow unauthenticated remote code execution (RCE) and extensive sensitive information disclosure. In practice, this could give an attacker complete control over a critical building management system from the outside.
In this deep dive, we break down the vulnerabilities we discovered, how they work under the hood, and how an attacker could leverage them to quite literally turn up the heat on some of the world’s most critical data centers.
We discovered a vulnerability within the Trane Diagnostic Service that enables attackers to bypass the authentication requirement, giving them full SSH access to the device. SSH is a cryptographic protocol that allows remote access to systems over the internet.
The Trane Diagnostic Service is a remote access service intended to be used by authorized personnel within Trane. A challenge-response algorithm is engineered to verify each connection; whenever a user tries to connect to a Trane device via SSH, the controller will return a randomly-generated GUID (the challenge). In order to get SSH access to the machine, the user needs to insert the corresponding response generated for the challenge. If the value is the same one the device calculated, the user will receive a shell terminal.
However, we discovered that this algorithm is deterministic and can be calculated without needing to know any secrets. Instead any user with knowledge of the algorithm can calculate the expected response, bypassing the authentication requirement.
In order to create the challenge-response algorithm, a new pluggable authentication module (PAM) provider was inserted into the Linux configuration, which is implemented inside pam_TraneAuthenitcate.so. Analysis of this module, specifically the pam_sm_authenticate function responsible for handling SSH authentication, revealed the underlying authentication logic. In this function, the binary takes the challenge GUID, and runs the DecodePassword routine on it, which outputs the expected response. This is then compared against the value the user supplied, which dictates whether the authentication was successful.
Inside the DecodePassword routine, we can see the deterministic algorithm used to generate the response. After some analysis, we discovered that it is a modified substitution cipher.
The response array calculation algorithm can be described by the following equations:
response[0] = keypad[search.find(challenge[0])]
response[i] = keypad[(search.find(challenge[i]) - search.find(challenge[i-1])) % 31]
challenge: The server-generated random challenge GUID string presented during SSH authentication (format: XXXX-XXXX-XXXX-XXXX).
response: The client-generated password response string corresponding to the given challenge (same format as the challenge).
search: A hardcoded lookup array used by the custom PAM algorithm to locate characters from the challenge string.
keypad: A hardcoded translation array used by the custom PAM algorithm to derive the response characters.
i: The index of the character within the response array.
This algorithm does not use any secrets known only to Trane, meaning anyone can calculate the expected response based on a given challenge, bypassing the authentication and receiving root-level shell access to the device. It is recommended that a private-public key pair is used instead, which is only known to the intended users.
We also uncovered a denial-of-service (DoS) vulnerability on the main Trane server, handling HTTP and BACnet connections. This vulnerability does not require any authentication, and simply requires access to the main HTTP port used by the device. BACnet is a standard communication protocol designed to connect and control smart building systems.
The vulnerability exists in the main binary handling most services, HydraMain. In order to read any incoming request, the binary uses the TEvoHttpReceiver class, and internally calls the recvLine function to read each header value.
This routine tries to read each header by reading until it receives newline characters,- \r\n. This is done by reading one byte at a time and checking if it is a newline character. However, in order to store the data, the server creates a buffer each time (using new CPP directive), growing bigger with the amount of data received so far.
However, this is where the issue lies: the server does not limit the size each header could be. Instead, it starts by trying to read up to 0x40 bytes, however if a header is over this amount the server will simply allocate more space until it finds the newline characters. This is done by taking the current maximum size, and performing a shift operation on it, allocating a new buffer of the new size.
By connecting to the web server of a SC+ device, and sending a huge amount of data (~2GB) without newline characters, the server will try to allocate bigger and bigger buffers. At some point around 2GB, it will try to allocate a huge buffer and fail, with the operator.new[] throwing a SIGABORT.
We discovered multiple API routes that do not require authentication on the Tracer SC+ web server, allowing an unauthenticated attacker access to sensitive information. This includes information about the device (license, serial number, remote access/cloud configuration), about its nested devices (devices connected to it via BACNET, LonTalks etc), and even the ability to communicate with these nested devices. An attacker could use this information to map the internal building automation network, identify connected controllers and critical infrastructure, and interact directly with downstream devices. This could enable reconnaissance for further attacks, unauthorized manipulation of building systems, disruption of HVAC operations, or lateral movement into other connected operational technology environments.
For example, any unauthenticated user can access the /evox/tis/websocketTunnelStatus API route, which will tell them whether the device is configured with Trane cloud or not.
Another example is the /evox/bacnet/report API route, which will give an unauthenticated user the complete BACNET report of the device.
Lastly, the /uidata/hui/NavTreeData.hui API route will leak cached GUI assets, including floor plans, pictures etc.
When looking for assets on the filesystem of the Tracer SC+, we discovered a file with multiple encrypted hardcoded credentials used for multiple Trane remote services. These credentials are hardcoded and used by all devices around the world.
Specifically, inside the /hydra/storage/config/TisGatewaySettings.cfg configuration file, we see multiple credentials for Trane global servers. On disk, these credentials are kept encrypted, however the keys to decrypt these credentials are hardcoded (see the next disclosure, CVE-2026-28256).
We were able to decrypt the string and retrieve the cleartext value:
In addition, some of these credentials are used in conjunction with guessable/retrievable values, like a device serial number as a “password” (which can be retrieved from any device using an unprotected API route).
Lastly, we discovered multiple encryption keys and private and public keys that are hardcoded and kept on disk. The first example is the blowfish encryption/decryption key used for configuration encryption, as seen in CVE-2026-28255. By knowing this hardcoded encryption key, anyone can decrypt the encrypted configuration values. An attacker could leverage these credentials to authenticate to connected systems, pivot deeper into the network, manipulate HVAC operations, gain access to other critical management interfaces, or even forge and deploy malicious firmware updates.
Another example is the keys/password kept on the block device of the device, /dev/mmcblk0boot0. This block device holds the keys used for encryption/decryption of backups as well as firmware updates. Usually, this block device is not mounted, however any attacker that has access can mount it and view its contents.
The vulnerabilities identified in the Trane Tracer SC+ controller introduce significant security risks to the cooling infrastructure of data centers and other critical facilities worldwide. By chaining these issues together, an attacker could potentially escalate from external access to full root-level control, potentially leading to operational disruption and physical impact.
We disclosed these findings to Trane and worked with them throughout the remediation process. To address these issues, Trane recommends updating Tracer SC+ controllers to version v6.3 (released March 1, 2026) or later.
Vulnerability Researcher
Amir Zaltzman is a vulnerability researcher on Team82.
A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 5.8
A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 6.8
A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 5.8
A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 7.5
A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 8.1
