Claroty has disclosed multiple unpatched vulnerabilities in Vertiv and Trane data center infrastructure equipment, including power distribution units (PDUs) and cooling systems, that could allow attackers to disrupt operations or pivot into broader network segments. The flaws, tracked as CVE-2026-5432 and CVE-2026-5433, stem from hardcoded credentials and insecure API endpoints in firmware versions deployed since 2023, according to a June 8 advisory from the industrial cybersecurity firm. Vertiv and Trane have yet to issue patches, leaving enterprises with legacy hardware exposed to exploitation via unauthenticated network requests.

The Tech TL;DR:

• Immediate risk: Attackers can remotely execute commands on affected Vertiv Liebert and Trane Air Handling Units (AHUs) with default credentials, enabling denial-of-service (DoS) or lateral movement into enterprise networks.
• Enterprise impact: The vulnerabilities affect 12,000+ deployed units globally, per Claroty’s threat intelligence, with no vendor ETA for fixes—prioritizing patching or network segmentation is critical.
• Mitigation gap: Claroty’s research shows these flaws persist even after applying Vertiv’s “secure boot” updates, exposing a fundamental design flaw in OT device authentication.

Why These Flaws Are Worse Than Your Average IoT Exploit

Unlike typical consumer IoT vulnerabilities, these flaws target critical infrastructure components where downtime translates to millions in losses. Claroty’s analysis reveals the vulnerabilities reside in the Modbus TCP stack used by both vendors, a protocol widely adopted in OT environments due to its lightweight design—but also notorious for its lack of encryption. The hardcoded credentials (username: `admin`, password: `vertiv123!`) are embedded in firmware images signed by Vertiv’s root CA, meaning even “secure” updates propagate the risk.

— Dr. Elena Vasquez, CTO of OT Cybersecurity Alliance
“This isn’t just another default password issue. The Modbus implementation here allows attackers to modify firmware metadata without triggering integrity checks. That’s a direct path to persistence—something we’ve only seen in nation-state APT campaigns before.”

The Blast Radius: Which Enterprises Are Most Exposed?

Claroty’s threat map highlights three high-risk sectors:

• Colocation providers: Vertiv PDUs are standard in hyperscale data centers (e.g., Equinix, Digital Realty), where a single compromised unit could trigger cascading failures across multiple tenants.
• Healthcare: Trane AHUs are deployed in 40% of U.S. hospitals (per HIMSS 2025), where operational technology (OT) disruptions directly impact patient safety systems.
• Government: The U.S. DoD’s Cybersecurity Maturity Model Certification (CMMC) explicitly flags Modbus vulnerabilities as Level 3 risks—these flaws would fail even basic compliance audits.

Hardware vs. Software: Why Patching Isn’t the Answer

Vertiv and Trane’s responses to date reveal a fundamental architectural problem: the vulnerabilities are not just in the firmware but in the hardware Trusted Platform Module (TPM) design. Claroty’s reverse-engineered firmware samples show the TPM is configured to skip authentication checks for “legacy compatibility,” a decision made in 2019 to support older management systems. This means even a “secure boot” update won’t resolve the issue without a physical hardware swap.

What Happens Next: The Exploit Timeline and Your Options

Based on Claroty’s historical data, we can model three likely scenarios:

1. June–July 2026: Proof-of-concept exploits appear on GitHub or dark web forums. Claroty’s threat intelligence team has already observed chatter in OT-focused channels.
2. August–September 2026: Ransomware groups (e.g., LockBit, Clop) begin targeting unpatched units, demanding payments to restore operations. The CISA will likely issue an Emergency Directive.
3. Long-term: Vendors will push “secure” hardware replacements, but the cost ($5K–$15K per unit) will force many enterprises to adopt network segmentation as a stopgap.

IT Triage: Who Can Help You Right Now?

With no patches available, enterprises must act immediately. Here’s the playbook:

• Network segmentation: Deploy micro-segmentation tools like Palo Alto Prisma SD-WAN to isolate OT devices from IT networks. Claroty recommends blocking Modbus TCP ports (502) at the firewall.
• Credential rotation: Use tools like CrowdStrike OT Security to overwrite hardcoded credentials via API calls. Example CLI command:

curl -X POST "https://{device-ip}/api/v1/auth" 
     -H "Content-Type: application/json" 
     -d '{"username": "admin", "password": "NEW_RANDOM_128CHAR_PASSWORD", "forceUpdate": true}'

Note: This requires physical access to the device’s management interface.

• Audit and replace: Engage specialized OT auditors like Nozomi Networks to inventory exposed devices and prioritize replacements. Their OT Security Assessment service includes firmware integrity checks.

The Broader Implications: Why This Flaw Exposes a Deeper Industry Problem

This disclosure isn’t an isolated incident—it’s a symptom of three systemic issues in OT security:

1. Vendor complacency: Both Vertiv and Trane have histories of delayed patches. In 2022, Vertiv took 18 months to address a similar Modbus flaw (CVE-2022-24086), per Tenable’s OT threat report.
2. Regulatory gaps: The IoT Cybersecurity Improvement Act (2023) doesn’t cover OT devices, leaving a legal loophole for vendors.
3. Supply chain risk: These devices are often deployed by third-party MSPs who lack OT security expertise. A specialized OT MSP like Digitalis can help remediate misconfigurations.

What’s Next for OT Security: The Shift to “Defense in Depth”

The Claroty findings underscore a paradigm shift in OT security: vendors can no longer rely on “secure by obscurity” or periodic patches. The future lies in:

• Hardware-rooted security: Devices must include immutable cryptographic anchors (e.g., Intel SGX for OT) to prevent firmware tampering. Startups like ARM’s TrustZone for IoT are leading this charge.
• AI-driven anomaly detection: Tools like Darktrace Antigena can detect Modbus-based attacks in real time by modeling “normal” OT behavior.
• Legislative pressure: The Securing Critical Infrastructure Act (proposed 2026) may force vendors to adopt mandatory vulnerability disclosure timelines.