PT-2014-1991 · Trane · Trane Comfortlink Ii
Published
2014-04-09
·
Updated
2025-04-20
·
CVE-2015-2867
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Trane ComfortLink II SCC firmware version 2.0.2
Description
The issue is related to a design flaw in the service that allows remote attackers to gain complete control of the system. It is also associated with the exploitation of predefined credentials, which can allow an attacker to obtain unauthorized access to the device with root privileges using the SSH protocol.
Recommendations
For Trane ComfortLink II SCC firmware version 2.0.2, consider changing the predefined credentials to strong, unique ones to prevent exploitation. As a temporary workaround, restrict SSH access to the device until a patch is available.
Exploit
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Trane Comfortlink Ii