Critical severity9.8NVD Advisory· Published Jan 6, 2017· Updated May 6, 2026

CVE-2015-2868

Description

An exploitable remote code execution vulnerability exists in the Trane ComfortLink II firmware version 2.0.2 in DSS service. An attacker who can connect to the DSS service on the Trane ComfortLink II device can send an overly long REG request that can overflow a fixed size stack buffer, resulting in arbitrary code execution.

Affected products

Track\+/Comfortlink Ii Firmware
cpe:2.3:o:trane:comfortlink_ii_firmware:2.0.2:*:*:*:*:*:*:*
Trane/ComfortLink II SCC firmwarev5
Range: 2.0.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.talosintelligence.com/reports/TALOS-2016-0027/nvdExploitTechnical DescriptionThird Party Advisory
www.securityfocus.com/bid/95118nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.007
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000