Vulnerability Description
A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Trane | Xl824 Firmware | <= 5.9.8 |
| Trane | Xl824 | - |
| Trane | Xl850 Firmware | <= 5.9.8 |
| Trane | Xl850 | - |
| Trane | Xl1050 Firmware | <= 5.9.8 |
| Trane | Xl1050 | - |
| Trane | Pivot Firmware | <= 1.8 |
| Trane | Pivot | - |
Related Weaknesses (CWE)
References
- https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02Broken Link
- https://hub.tranetechnologies.com/docs/DOC-216377Permissions Required
- https://www.trane.com/commercial/north-america/us/en/contact-us/locate-sales-offProduct
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02Third Party Advisory
- https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02Broken Link
- https://hub.tranetechnologies.com/docs/DOC-216377Permissions Required
- https://www.trane.com/commercial/north-america/us/en/contact-us/locate-sales-offProduct
FAQ
What is CVE-2023-4212?
CVE-2023-4212 is a vulnerability with a CVSS score of 6.8 (MEDIUM). A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulne...
How severe is CVE-2023-4212?
CVE-2023-4212 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-4212?
Check the references section above for vendor advisories and patch information. Affected products include: Trane Xl824 Firmware, Trane Xl824, Trane Xl850 Firmware, Trane Xl850, Trane Xl1050 Firmware.