Cyber Posture

CVE-2026-28256

Critical

Published: 12 March 2026

Published
12 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28256 is a critical-severity Use of Hard-coded, Security-relevant Constants (CWE-547) vulnerability in Trane Tracer Sc Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2026-28256 by requiring timely identification, reporting, and correction of the hard-coded security-relevant constants flaw through vendor patching.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Detects the presence of the hard-coded constants vulnerability in Trane Tracer SC, SC+, and Concierge via regular vulnerability scanning.

IA-5 Authenticator Management partial match
prevent

Requires secure management of authenticators to avoid hard-coded security-relevant constants like those exploited in this CVE for account takeover.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Remote unauthenticated network exploit of public-facing ICS web/management interface (T1190) directly enabled by hard-coded security constants that permit credential disclosure and account takeover (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Deeper analysisAI

CVE-2026-28256 is a Use of Hard-coded, Security-relevant Constants vulnerability (CWE-547) in Trane Tracer SC, Tracer SC+, and Tracer Concierge. Published on 2026-03-12, it could allow an attacker to disclose sensitive information and take over accounts. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impacts across confidentiality, integrity, and availability.

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation enables disclosure of sensitive information, account takeover, and potential disruption of system availability, leveraging the hard-coded constants to bypass security controls.

The CISA ICS advisory ICSA-26-071-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01 provides further details on mitigation and recommended actions for addressing this vulnerability.

Details

CWE(s)
CWE-547

Affected Products

trane
tracer sc\+ firmware
≤ 6.3.2310
trane
tracer sc firmware
4.4 · ≤ 4.4
trane
tracer concierge
≤ 6.3.2310

CVEs Like This One

CVE-2026-28254Same product: Trane Tracer Concierge
CVE-2026-28252Same product: Trane Tracer Concierge
CVE-2026-28255Same product: Trane Tracer Concierge
CVE-2026-28253Same product: Trane Tracer Concierge

References