Claroty flags data centre risks in Vertiv & Trane kit

Claroty identified critical vulnerabilities in Vertiv power supply network cards and Trane HVAC controllers used in data centers. According to Claroty, these flaws in cyber-physical systems could allow unauthenticated remote code execution, potentially causing catastrophic facility downtime and hardware failure as AI workloads increase infrastructure demand.

Why are Vertiv and Trane vulnerabilities a risk to data centers?

These vulnerabilities target the physical infrastructure that keeps servers running. Claroty’s research found critical flaws in network cards attached to Vertiv uninterruptible power supply (UPS) systems. These devices protect hardware from power fluctuations and maintain uptime during outages.

Simultaneously, Claroty identified a chain of severe vulnerabilities in the Trane Tracer SC+ automated HVAC controller. Because data centers rely on precise temperature control to prevent hardware meltdown, a compromise of the cooling system can lead to immediate service interruptions.

How could an attacker exploit these cyber-physical systems?

The Trane Tracer SC+ vulnerabilities are particularly dangerous because they could allow unauthenticated remote code execution. According to Claroty, an attacker could potentially gain full remote control of the HVAC system without needing any prior access credentials.

This represents a shift in attack vectors. Instead of targeting the data on a server, an attacker targets the power or cooling that allows the server to exist. Claroty notes that these “cyber-physical systems” (CPS) create a bridge where a digital breach results in a physical failure.

The shift from IT security to OT resilience

Most data center security focuses on IT assets like firewalls and encryption. However, these findings highlight a gap in Operational Technology (OT) security. While servers are patched frequently, power and cooling controllers are often treated as “set and forget” hardware.

Claroty reported that it disclosed these flaws to Trane and Vertiv before making them public. Both vendors worked on remediation, but the incident underscores a recurring industry problem: legacy OT assumptions clashing with modern internet connectivity.

What happens when cooling and power systems fail?

A failure in the Vertiv UPS system can lead to sudden power loss or surges, which can fry sensitive circuitry in high-end GPUs and CPUs. According to the research, the impact often extends beyond a single device because power infrastructure is tightly integrated across the facility.

Cooling failures are equally volatile. If an attacker disables the Trane HVAC controllers, computing equipment can reach critical temperatures within minutes. This forces automated thermal shutdowns, killing active workloads and potentially damaging hardware.

How should data center operators manage CPS risks?

Operators must move toward a model of “operational resilience” rather than just “cyber security.” Amir Preminger, Chief Technology Officer at Claroty and Head of Team82, stated that data centers need a fundamental shift in how they define resilience goals.

Preminger noted that a single cyber incident can lead to physical disruption or safety hazards. He urged operators to treat CPS protection as a “business imperative” to maintain uptime.

Practical steps include:

• Network Segmentation: Isolate HVAC and UPS controllers from the general corporate network.
• Vendor Coordination: Follow manufacturer guidance for patching OT devices, as these require more caution than standard software updates to avoid accidental downtime.
• Asset Inventory: Map every connected power and cooling device to identify the full attack surface.

FAQ: Data Center Cyber-Physical Security

What is a cyber-physical system (CPS)?
A CPS is an integration of computation, networking, and physical processes. In data centers, this includes the digital controllers that manage physical electricity and air cooling.

Can these vulnerabilities be patched?
Yes. Claroty disclosed the findings to Vertiv and Trane, and both companies have worked on remediation. Operators should check for the latest firmware updates from their vendors.

Why is AI making this more dangerous?
AI workloads require significantly more power and generate more heat than traditional cloud computing. This makes the facility more dependent on the very systems (UPS and HVAC) that are currently vulnerable.