Command injection

2023-08-2219:16:00

PRIOn knowledge base

www.prio-n.com

command injection

trane

thermostat

usb

vulnerability

6.9 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.4%

JSON

?A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick.

CPENameOperatorVersion
pivot_firmwarele1.8
xl1050_firmwarele5.9.8
xl824_firmwarele5.9.8
xl850_firmwarele5.9.8

Name	Operator	Version
pivot_firmware	le	1.8
xl1050_firmware	le	5.9.8
xl824_firmware	le	5.9.8
xl850_firmware	le	5.9.8

References

hub.tranetechnologies.com/docs/DOC-216377

www.cisa.gov/news-events/ics-advisories/icsa-23-234-02

www.trane.com/commercial/north-america/us/en/contact-us/locate-sales-offices.html