CVE-2026-28256
published 2026-03-12CVE-2026-28256: A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose…
PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.27%
17.9th percentile
A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trane | tracer_concierge | < v6.3.2310 | v6.3.2310 |
| trane | tracer_concierge | < 6.3.2310 | 6.3.2310 |
| trane | tracer_sc | < v4.4 SP7 | v4.4 SP7 |
| trane | tracer_sc | < v6.3.2310 | v6.3.2310 |
| trane | tracer_sc_+_firmware | < 6.3.2310 | 6.3.2310 |
| trane | tracer_sc_firmware | <= 4.4 | — |
| trane | tracer_sc_firmware | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Trane Tracer SC, Tracer SC+, and Tracer Concierge
cisa_ics·2026-03-12·CVSS 9.8
[CRITICAL] Trane Tracer SC, Tracer SC+, and Tracer Concierge
ICS Advisory
##
Trane Tracer SC, Tracer SC+, and Tracer Concierge
Release DateMarch 12, 2026
Alert CodeICSA-26-071-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
- Tracer SC
- Tracer SC+
- Tracer Concierge
CVSS
Vendor
Equipment
Vulnerabilities
| v3 8.1
| Trane
| Trane Tracer SC, Tracer SC+, and Tracer Concierge
| Use of a Broken or Risky Cryptographic Algorithm, Memory Allocation with Excessive Size Value, Missing Authoriza
Red Hat
mlflow: MLflow Use of Default Password Authentication Bypass Vulnerability
vendor_redhat·2026-02-20·CVSS 9.8
CVE-2026-2635 [CRITICAL] CWE-798 mlflow: MLflow Use of Default Password Authentication Bypass Vulnerability
mlflow: MLflow Use of Default Password Authentication Bypass Vulnerability
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
A flaw was found in MLflow. A remote attacker can exploit this vulnerability by leveraging hard-coded default credentials present in the basic_auth.ini file. This allows the attacker to bypass authentication and execute arbitrary
GHSA
GHSA-7fm4-cpxv-5vqw: A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclos
ghsa_unreviewed·2026-03-12
CVE-2026-28256 [MEDIUM] CWE-547 GHSA-7fm4-cpxv-5vqw: A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclos
A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-11645 [HIGH] ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.
This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else's entry point.
Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.
## ⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day - G
Bugzilla
CVE-2026-2635 mlflow: MLflow Use of Default Password Authentication Bypass Vulnerability
bugzilla·2026-02-20·CVSS 9.8
CVE-2026-2635 [CRITICAL] CVE-2026-2635 mlflow: MLflow Use of Default Password Authentication Bypass Vulnerability
CVE-2026-2635 mlflow: MLflow Use of Default Password Authentication Bypass Vulnerability
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
2026-03-12
Published