Trane · Trane Xl850 · CVE-2023-4212
**Name of the Vulnerable Software and Affected Versions**
Trane XL824, XL850, XL1050, and Pivot thermostats (affected versions not specified)
**Description**
A command injection issue exists, allowing an attacker to execute arbitrary commands as root using a specially crafted filename. This requires physical access to the device via a USB stick.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.