Cyber Posture

CVE-2026-28255

Critical

Published: 12 March 2026

Published
12 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28255 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Trane Tracer Sc Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw Remediation requires identifying, prioritizing, and applying patches for vulnerabilities like this hard-coded credentials issue as detailed in the CISA advisory.

IA-5 Authenticator Management good match
prevent

Authenticator Management mandates changing default and hard-coded authenticators prior to use, directly preventing exploitation of embedded credentials.

AC-2 Account Management partial match
detectrespond

Account Management supports monitoring for anomalous activity and disabling accounts taken over through the hard-coded credentials vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Hard-coded credentials (CWE-798) directly provide valid/default accounts that unauthenticated remote attackers can use against the exposed ICS web/management interface (T1190/T1133), resulting in account takeover via T1078/T1078.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Deeper analysisAI

CVE-2026-28255 is a Use of Hard-coded Credentials vulnerability (CWE-798) affecting Trane Tracer SC, Tracer SC+, and Tracer Concierge systems. Published on 2026-03-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts across confidentiality, integrity, and availability.

The vulnerability enables remote exploitation over the network by unauthenticated attackers requiring no privileges or user interaction, with low attack complexity. Successful attacks could allow disclosure of sensitive information and takeover of accounts on affected systems.

CISA's ICS Advisory ICSA-26-071-01 provides details on this vulnerability; practitioners should consult it for recommended mitigations and patch information.

Details

CWE(s)
CWE-798

Affected Products

trane
tracer sc firmware
4.4 · ≤ 4.4
trane
tracer sc\+ firmware
≤ 6.3.2310
trane
tracer concierge
≤ 6.3.2310

CVEs Like This One

CVE-2026-28254Same product: Trane Tracer Concierge
CVE-2026-28256Same product: Trane Tracer Concierge
CVE-2026-28252Same product: Trane Tracer Concierge
CVE-2026-28253Same product: Trane Tracer Concierge
CVE-2026-27507Shared CWE-798
CVE-2024-48126Shared CWE-798
CVE-2025-1393Shared CWE-798
CVE-2026-25202Shared CWE-798
CVE-2026-23647Shared CWE-798
CVE-2024-8893Shared CWE-798

References