ByteOS Network

Vulnerability Details :

CVE-2026-28256

Assigner Org ID-7d14cffa-0d7d-4270-9dc0-52cabd5a23a6

Published At-12 Mar, 2026 | 17:34

Updated At-12 Mar, 2026 | 18:00

Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge

A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:icscert

Assigner Org ID:7d14cffa-0d7d-4270-9dc0-52cabd5a23a6

Published At:12 Mar, 2026 | 17:34

Updated At:12 Mar, 2026 | 18:00

▼CVE Numbering Authority (CNA)

Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge

A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Affected Products

Vendor

Trane

Product

Tracer SC

Default Status

unaffected

Versions

Affected

From 0 before v4.4 SP7 (custom)

Vendor

Trane

Product

Tracer SC+

Default Status

unaffected

Versions

Affected

From 0 before v6.3.2310 (custom)

Vendor

Trane

Product

Tracer Concierge

Default Status

unaffected

Versions

Affected

From 0 before v6.3.2310 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-547	CWE-547 Use of hard-coded, security-relevant constants

Type: CWE

CWE ID: CWE-547

Description: CWE-547 Use of hard-coded, security-relevant constants

Metrics

Version	Base score	Base severity	Vector
4.0	6.9	MEDIUM	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Version: 4.0

Base score: 6.9

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Solutions

Trane has released the following versions of Tracer SC+ for users to upgrade to: * CVE-2026-28255: Trane has implemented enhanced cloud security controls to mitigate this vulnerability.

Credits

finder

Noam Moshe of Claroty reported these vulnerabilities to CISA.

References

Hyperlink	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01	government-resource

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01

Resource:

government-resource

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:ics-cert@hq.dhs.gov

Published At:12 Mar, 2026 | 18:16

Updated At:27 Mar, 2026 | 16:25

A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	6.9	MEDIUM	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 4.0

Base score: 6.9

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CPE Matches

trane>>tracer_sc\+_firmware>>Versions before 6.3.2310(exclusive)

cpe:2.3:o:trane:tracer_sc\+_firmware:*:*:*:*:*:*:*:*

trane>>tracer_sc\+>>*

cpe:2.3:h:trane:tracer_sc\+:*:*:*:*:*:*:*:*

trane>>tracer_sc_firmware>>Versions up to 4.4(inclusive)

cpe:2.3:o:trane:tracer_sc_firmware:*:*:*:*:*:*:*:*

trane>>tracer_sc_firmware>>4.4

cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1:*:*:*:*:*:*

trane>>tracer_sc_firmware>>4.4

cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2:*:*:*:*:*:*

trane>>tracer_sc_firmware>>4.4

cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3:*:*:*:*:*:*

trane>>tracer_sc_firmware>>4.4

cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4:*:*:*:*:*:*

trane>>tracer_sc_firmware>>4.4

cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5:*:*:*:*:*:*

trane>>tracer_sc_firmware>>4.4

cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6:*:*:*:*:*:*

trane>>tracer_sc>>*

cpe:2.3:h:trane:tracer_sc:*:*:*:*:*:*:*:*

trane>>tracer_concierge>>Versions before 6.3.2310(exclusive)

cpe:2.3:a:trane:tracer_concierge:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-547	Primary	ics-cert@hq.dhs.gov

CWE ID: CWE-547

Type: Primary

Source: ics-cert@hq.dhs.gov

References

Hyperlink	Source	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01	ics-cert@hq.dhs.gov	Third Party Advisory US Government Resource

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01

Source: ics-cert@hq.dhs.gov

Resource:

Third Party Advisory

US Government Resource

Similar CVEs

4Records found

CVE-2026-28255

Matching Score-8

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

View Details

Matching Score-8

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

CVSS Score-8.2||HIGH

EPSS-0.05% / 15.06%

7 Day CHG~0.00%

Published-12 Mar, 2026 | 17:33

Updated-27 Mar, 2026 | 16:25

Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge

A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Vendor-trane Trane

Product-tracer_sc\+_firmware tracer_sc\+tracer_concierge tracer_sc_firmware tracer_sc Tracer SC+Tracer SC Tracer Concierge

CWE ID-CWE-798

Use of Hard-coded Credentials

CVE-2026-28252

Matching Score-8

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

View Details

Matching Score-8

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

CVSS Score-9.2||CRITICAL

EPSS-0.03% / 8.59%

7 Day CHG~0.00%

Published-12 Mar, 2026 | 17:24

Updated-27 Mar, 2026 | 16:22

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge

A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.

Vendor-trane Trane

Product-tracer_sc\+_firmware tracer_sc\+tracer_concierge tracer_sc_firmware tracer_sc Tracer Concierge Tracer SC+Tracer SC

CWE ID-CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CVE-2025-30206

Matching Score-4

Assigner-GitHub, Inc.

View Details

Matching Score-4

Assigner-GitHub, Inc.

CVSS Score-9.8||CRITICAL

EPSS-0.10% / 27.56%

7 Day CHG~0.00%

Published-15 Apr, 2025 | 19:14

Updated-15 Apr, 2026 | 00:35

Dpanel's hard-coded JWT secret leads to remote code execution

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage.

Vendor-donknap

Product-dpanel

CWE ID-CWE-321

Use of Hard-coded Cryptographic Key

CWE ID-CWE-453

Insecure Default Variable Initialization

CWE ID-CWE-547

Use of Hard-coded, Security-relevant Constants

CVE-2023-1712

Matching Score-4

Assigner-Protect AI (formerly huntr.dev)

View Details

Matching Score-4

Assigner-Protect AI (formerly huntr.dev)

CVSS Score-9.1||CRITICAL

EPSS-0.51% / 66.54%

7 Day CHG~0.00%

Published-30 Mar, 2023 | 00:00

Updated-11 Feb, 2025 | 20:14

Use of Hard-coded, Security-relevant Constants in deepset-ai/haystack

Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack prior to 0.1.30.

Vendor-deepset deepset-ai

Product-haystack deepset-ai/haystack

CWE ID-CWE-547

Use of Hard-coded, Security-relevant Constants

CVE-2026-28256

Credits

Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Affected

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs