IcscertCVELIST:CVE-2023-4212CVE-2023-4212 Trane Thermostats Injection
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.1 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
16.4%
A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick.
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "XL824 Thermostat",
"vendor": "Trane Technologies",
"versions": [
{
"lessThanOrEqual": "5.9.8 ",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "XL850 Thermostat",
"vendor": "Trane Technologies",
"versions": [
{
"lessThanOrEqual": "5.9.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "XL1050 Thermostat",
"vendor": "Trane Technologies",
"versions": [
{
"lessThanOrEqual": "5.9.8 ",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Pivot Thermostat",
"vendor": "Trane Technologies",
"versions": [
{
"lessThanOrEqual": "1.8 ",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
]Related
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.1 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
16.4%