CVE-2021-38448

Trane Symbio Improper Control of Generation of Code

Description

The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.

Remediation

Solution:

  • Affected users should contact a Trane representative to install updated firmware or request additional information. Please reference Trane service database number HUB-205962 when contacting the Trane office. Trane has identified the following specific mitigations: Symbio 700 controllers: Upgrade to v1.00.0023 or later Symbio 800 controllers: Upgrade to v1.00.0007 or later In addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities: Restrict physical controller access to trained and trusted personnel. Use secure remote access solutions, such as Trane Connect Remote Access, when needed. Ensure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords). Have a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.13%
Third-Party Advisory cisa.gov
Affected: Trane Symbio
Published at:
Updated at:

References

Link Tags
https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01 mitigation third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2021-38448?
CVE-2021-38448 has been scored as a high severity vulnerability.
How to fix CVE-2021-38448?
To fix CVE-2021-38448: Affected users should contact a Trane representative to install updated firmware or request additional information. Please reference Trane service database number HUB-205962 when contacting the Trane office. Trane has identified the following specific mitigations: Symbio 700 controllers: Upgrade to v1.00.0023 or later Symbio 800 controllers: Upgrade to v1.00.0007 or later In addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities: Restrict physical controller access to trained and trusted personnel. Use secure remote access solutions, such as Trane Connect Remote Access, when needed. Ensure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords). Have a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date.
Is CVE-2021-38448 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-38448 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-38448?
CVE-2021-38448 affects Trane Symbio.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.