Main Vulnerability Database Vulnerabilities #VU80014

#VU80014 Command Injection in Trane products - CVE-2023-4212

Published: August 25, 2023

Vulnerability identifier: #VU80014

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-4212

CWE-ID: CWE-77

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
XL824 Thermostat
XL850 Thermostat
XL1050 Thermostat
Pivot Thermostat

Software vendor:
Trane

Description

The vulnerability allows a local attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation. An attacker with physical access can use a specially crafted filename and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02
https://hub.tranetechnologies.com/docs/DOC-216377
https://www.trane.com/commercial/north-america/us/en/contact-us/locate-sales-offices.html

#VU80014 Command Injection in Trane products - CVE-2023-4212

Description

Remediation

External links

Please verify you're human