Researchers at Claroty identified critical security flaws in two key data center infrastructure components: Vertiv UPS network cards and the Trane Tracer SC+ HVAC controller. The Vertiv UPS network cards are vulnerable to an authentication bypass and a remote code execution vulnerability, which when chained, allow attackers to remotely execute arbitrary code on UPS devices. This threatens the power continuity and protection mechanisms critical to data center operations. The Trane Tracer SC+ HVAC controller contains multiple vulnerabilities including authentication bypass, remote code execution, denial of service, and sensitive information disclosure. These flaws could enable unauthenticated attackers to take full control of HVAC systems, risking thermal shutdowns and hardware damage. Claroty coordinated disclosure with Vertiv and Trane, resulting in patches to address these vulnerabilities.

Successful exploitation of the Vertiv UPS network card vulnerabilities could allow attackers to remotely control UPS devices, disrupting power management and potentially causing unsafe shutdowns or damage to data center equipment. Exploiting the Trane Tracer SC+ HVAC controller vulnerabilities could enable attackers to remotely execute code, cause denial of service, or access sensitive information, leading to HVAC failures that risk overheating, hardware damage, and service disruption. These impacts threaten the operational continuity and physical safety of data centers, with potential financial losses in the millions.

Patches have been developed and released by Vertiv and Trane to address these vulnerabilities. Organizations using these products should apply the official vendor patches promptly to mitigate the risks. There is no indication that these vulnerabilities are exploited in the wild at this time. No additional mitigation steps are specified beyond applying the vendor-provided fixes.