ICSA-26-071-01 · Published 2026-03-12 · View on CISA ICS-CERT ↗

Trane Tracer SC, Tracer SC+, and Tracer Concierge

CVSS 8.1 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.

CVEs (5)

CVE-2026-28252 CVE-2026-28253 CVE-2026-28254 CVE-2026-28255 CVE-2026-28256

Remediations

Trane has released the following versions of Tracer SC+ for users to upgrade to:
CVE-2026-28252, CVE-2026-28253, CVE-2026-28254: Tracer SC+ version v6.30.2313
CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.
CVE-2026-28256: Trane has implemented enhanced security controls which have been communicated to their customers. For more information, contact Trane.

Affected Vendors

Trane

Affected Products (3)

Trane · Tracer SC <v4.4_SP7

Trane · Tracer SC+ <v6.3.2310

Trane · Tracer Concierge <v6.3.2310

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more