Return to Team82 Research

Nexus Podcast: Team82 on the Insecure IoT Cloud

December 16th, 2024 / 0 min read

Team82’s Noam Moshe discusses state actor targeting of OT, why it’s so challenging to develop ransomware for OT and industrial control systems, and the mitigation strategies available to defenders of cyber-physical systems.

Stay in the know Get the Team82 Newsletter

Recent Vulnerability Disclosures

CVE-2026-28256

A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.

The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
- Tracer SC
- Tracer SC+
- Tracer Concierge
Trane asks Tracer SC+ users to upgrade to version v6.30.2313

CVSS v3: 5.8
CVE-2026-28255

A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.

The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
- Tracer SC
- Tracer SC+
- Tracer Concierge
Trane asks Tracer SC+ users to upgrade to version v6.30.2313

CVSS v3: 6.8
CVE-2026-28254

A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.

The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
- Tracer SC
- Tracer SC+
- Tracer Concierge
Trane asks Tracer SC+ users to upgrade to version v6.30.2313

CVSS v3: 5.8
CVE-2026-28253

A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition.

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.

The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
- Tracer SC
- Tracer SC+
- Tracer Concierge
Trane asks Tracer SC+ users to upgrade to version v6.30.2313

CVSS v3: 7.5
CVE-2026-28252

A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.

The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
- Tracer SC
- Tracer SC+
- Tracer Concierge
Trane asks Tracer SC+ users to upgrade to version v6.30.2313

CVSS v3: 8.1

Nexus Podcast: Team82 on the Insecure IoT Cloud

CVE-2026-28256

CVE-2026-28255

CVE-2026-28254

CVE-2026-28253

CVE-2026-28252