?A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick.
CPE | Name | Operator | Version |
---|---|---|---|
pivot_firmware | le | 1.8 | |
xl1050_firmware | le | 5.9.8 | |
xl824_firmware | le | 5.9.8 | |
xl850_firmware | le | 5.9.8 |