Trane Symbio Improper Control of Generation of Code
The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
Description: CWE-94 Improper Control of Generation of Code ('Code Injection')
Metrics
Version
Base score
Base severity
Vector
3.1
7.5
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Version:3.1
Base score:7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Metrics Other Info
Impacts
CAPEC ID
Description
Solutions
Affected users should contact a Trane representative to install updated firmware or request additional information. Please reference Trane service database number HUB-205962 when contacting the Trane office.
Trane has identified the following specific mitigations:
Symbio 700 controllers: Upgrade to v1.00.0023 or later
Symbio 800 controllers: Upgrade to v1.00.0007 or later
In addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities:
Restrict physical controller access to trained and trusted personnel.
Use secure remote access solutions, such as Trane Connect Remote Access, when needed.
Ensure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).
Have a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date.