What happened
Claroty researchers uncovered multiple vulnerabilities in two widely deployed HVAC and UPS products used in data centers, showing how attackers could exploit them to launch disruptive remote attacks.
The researchers analyzed network cards designed to provide a network interface for uninterruptible power supply devices made by Vertiv. UPS devices are widely used in data centers to keep operations running during power outages, protect systems from power spikes and drops, and enable safe shutdowns.
Claroty found that the Vertiv network cards, which provide a default web interface for UPS devices, were affected by two vulnerabilities: an authentication bypass flaw and a remote code execution vulnerability. Chaining the two vulnerabilities could allow an attacker to remotely access a targeted UPS and execute arbitrary code, potentially causing significant operational disruption.
Claroty also analyzed the Trane Tracer SC+ HVAC controller, which is widely used in data centers and other critical environments worldwide. Researchers discovered several vulnerabilities in the controller, including authentication bypass, remote code execution, denial-of-service, and sensitive information disclosure issues.
The HVAC flaws are highly exploitable and could allow unauthenticated remote code execution and extensive sensitive information disclosure. In practice, exploitation could give an attacker complete control over a critical building management system from the outside.
The data center impact could be severe. Servers generate large amounts of heat, and an HVAC failure can trigger thermal shutdowns, damage expensive hardware, cause major service disruptions, and lead to millions of dollars in losses.
Claroty reported its findings to Trane and Vertiv and worked with both companies to patch the vulnerabilities.
Who is affected
Data centers and other critical environments using affected Vertiv UPS network cards or Trane Tracer SC+ HVAC controllers are affected.
Organizations that rely on UPS devices for power continuity or HVAC systems for server cooling face operational risk if these systems are exposed to remote compromise. The vulnerabilities could allow attackers to interfere with power support systems, gain control over building management systems, or disrupt environmental controls that keep data center infrastructure running safely.
Why CISOs should care
These vulnerabilities show why data center cyber risk extends beyond servers, applications, and network devices. UPS and HVAC systems support the physical conditions required for digital operations. If those systems are compromised, attackers may be able to create outages without directly attacking production workloads.
The Vertiv issue is especially concerning because chaining the authentication bypass and remote code execution vulnerabilities could allow remote access to a UPS and arbitrary code execution. In a data center, weaknesses in UPS communication modules can directly affect the systems they protect.
The Trane HVAC vulnerabilities are also significant because compromise could give an attacker control over a critical building management system from outside the environment. For CISOs, that makes cyber-physical systems part of availability, resilience, and business continuity planning.
3 practical actions
- Patch affected UPS and HVAC systems promptly: Claroty reported the vulnerabilities to Vertiv and Trane and worked with both vendors on patches. CISOs should confirm whether affected Vertiv UPS network cards or Trane Tracer SC+ HVAC controllers are present in their environments and apply available updates.
- Segment building management and power systems from enterprise networks: The affected products support UPS and HVAC functions that can disrupt data center operations if compromised. Security teams should limit remote access, isolate management interfaces, and restrict communication paths to trusted administrative networks.
- Include cyber-physical systems in resilience planning: HVAC failure can trigger thermal shutdowns, hardware damage, service disruption, and major financial losses. CISOs should ensure incident response and business continuity plans cover UPS, HVAC, and building management systems, not only traditional IT assets.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.