CVE-2023-4212

Summary

​A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick.

Affected Software

VendorProductVersion RangeStatus
​Trane TechnologiesXL824 Thermostat0 <= 5.9.8affected
​Trane TechnologiesXL850 Thermostat0 <= 5.9.8affected
​Trane TechnologiesXL1050 Thermostat0 <= 5.9.8affected
Trane TechnologiesPivot Thermostat0 <= 1.8affected

Weaknesses

  • CWE-74: CWE-74 Injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References