Vulnerability Details CVE-2023-4212
A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.1%
CVSS Severity
CVSS v3 Score 6.8
References
- https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02
- https://hub.tranetechnologies.com/docs/DOC-216377
- https://www.trane.com/commercial/north-america/us/en/contact-us/locate-sales-offices.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02
- https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02
- https://hub.tranetechnologies.com/docs/DOC-216377
- https://www.trane.com/commercial/north-america/us/en/contact-us/locate-sales-offices.html
Products affected by CVE-2023-4212
-
cpe:2.3:h:trane:pivot:-
-
cpe:2.3:h:trane:xl1050:-
-
cpe:2.3:h:trane:xl824:-
-
cpe:2.3:h:trane:xl850:-
-
cpe:2.3:o:trane:pivot_firmware:-
-
cpe:2.3:o:trane:pivot_firmware:1.8
-
cpe:2.3:o:trane:xl1050_firmware:-
-
cpe:2.3:o:trane:xl1050_firmware:5.9.8
-
cpe:2.3:o:trane:xl824_firmware:-
-
cpe:2.3:o:trane:xl824_firmware:5.9.8
-
cpe:2.3:o:trane:xl850_firmware:-
-
cpe:2.3:o:trane:xl850_firmware:5.9.8