Vulnerabilities discovered in Trane, Vertiv data center products

Cybersecurity research firm Claroty’s Team82 has identified critical security vulnerabilities in data center infrastructure products from Vertiv and Trane. These flaws affect uninterruptible power supply (UPS) network cards and HVAC controllers, potentially allowing unauthorized actors to disrupt power operations or gain control over building management systems. For facilities managers, these discoveries highlight the urgent need to implement firmware updates to protect critical operational technology and ensure facility uptime. These vulnerabilities are particularly significant as they could allow attackers to shut down entire facilities or move laterally through building automation networks.

Team82, a research arm of cybersecurity firm Claroty, discovered two vulnerabilities in Vertiv’s Liebert IS-UNITY-DP network cards that were assessed a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System. These cards act as the network interface for uninterruptible power supply (UPS) devices, which are essential for keeping servers, routers, and control systems stable during power outages by switching to internal battery power. The report warns that successful exploits could allow attackers to execute arbitrary code or request an 'output OFF' command in a managed UPS configuration, effectively shutting down any connected equipment and potentially impacting an entire data center facility.

Vulnerabilities were also identified in the Trane Tracer SC+ HVAC controller, which could allow unauthenticated remote attackers to gain complete control over critical building management systems. Team82 found that multiple API routes on the Tracer SC+ web server did not require authentication, exposing sensitive information about the device and its nested connections via protocols like BACnet or LonTalks. This exposure allows unauthorized actors to map internal building automation networks, identify critical infrastructure, and potentially move laterally into other connected operational technology environments, leading to unauthorized manipulation of building systems.

To mitigate these risks, both manufacturers have released software updates and recommend immediate implementation by facility operators. Vertiv suggests users apply Liebert RDU101 and IS-UNITY firmware updates, while Trane recommends updating Tracer SC+ controllers to version v6.3 or later. A Trane Technologies spokesperson stated that the company is following Cybersecurity and Infrastructure Security Agency (CISA) best practices and notifying impacted customers, noting there is currently no indication that the vulnerability is being actively exploited. Vertiv did not respond to a request for comment regarding the findings prior to the report's publication.