Trane Symbio (CVE-2021-38448)

high Tenable OT Security Plugin ID 501740


The remote OT asset is affected by a vulnerability.


The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.

This plugin only works with Tenable.ot.
Please visit for more information.


The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at

Affected users should contact a Trane office to make arrangements to install updated firmware or to request additional information. Please reference Trane service database number HUB-205962 when contacting Trane. Trane recommends the applications below be updated to the versions listed below.

Symbio 700:

- Odyssey Split Systems: All versions prior to v1.00.0023

Symbio 800:

- IntelliPak Rooftop Air Conditioner: All versions prior to v1.30.0008
- Ascend Air-cooled Chiller Model ACR: All versions prior to v1.10.0010
- Agility Water-Cooled Chiller Model HDWA: All versions prior to v1.00.0010

In addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities:

- Restrict physical controller access to trained and trusted personnel.
- Use secure remote access solutions, such as Trane Connect Remote Access, when needed.
- Ensure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).
- Have a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date.

See Also

Plugin Details

Severity: High

ID: 501740

Version: 1.5

Type: remote

Family: Tenable.ot

Published: 9/27/2023

Updated: 2/21/2024

Supported Sensors: Nessus

Risk Information


Risk Factor: High

Score: 7.3


Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-38448


Risk Factor: High

Base Score: 7.6

Temporal Score: 6.6

Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:trane:symbio_700, cpe:/a:trane:symbio_800

Required KB Items: Tenable.ot/Trane

Exploit Ease: No known exploits are available

Patch Publication Date: 11/22/2021

Vulnerability Publication Date: 11/22/2021

Reference Information

CVE: CVE-2021-38448

CWE: 94