Cyber Resilience

CVE-2026-28256

Medium

Published: 12 March 2026

Published
12 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 17.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-28256 is a medium-severity Use of Hard-coded, Security-relevant Constants (CWE-547) vulnerability in Trane Tracer Sc Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-28256 is a Use of Hard-coded, Security-relevant Constants vulnerability (CWE-547) in Trane Tracer SC, Tracer SC+, and Tracer Concierge. Published on 2026-03-12, it could allow an attacker to disclose sensitive information and take over accounts. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impacts across confidentiality, integrity, and availability.

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation enables disclosure of sensitive information, account takeover, and potential disruption of system availability, leveraging the hard-coded constants to bypass security controls.

The CISA ICS advisory ICSA-26-071-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01 provides further details on mitigation and recommended actions for addressing this vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Remote unauthenticated network exploit of public-facing ICS web/management interface (T1190) directly enabled by hard-coded security constants that permit credential disclosure and account takeover (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28254Same product: Trane Tracer Concierge
CVE-2026-28252Same product: Trane Tracer Concierge
CVE-2026-28255Same product: Trane Tracer Concierge
CVE-2026-28253Same product: Trane Tracer Concierge

Affected Assets

trane
tracer sc\+ firmware
≤ 6.3.2310
trane
tracer sc firmware
4.4 · ≤ 4.4
trane
tracer concierge
≤ 6.3.2310

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-28256 by requiring timely identification, reporting, and correction of the hard-coded security-relevant constants flaw through vendor patching.

detect

Detects the presence of the hard-coded constants vulnerability in Trane Tracer SC, SC+, and Concierge via regular vulnerability scanning.

prevent

Requires secure management of authenticators to avoid hard-coded security-relevant constants like those exploited in this CVE for account takeover.

References