Claroty has identified vulnerabilities in Vertiv power supply devices and Trane HVAC controllers used in data centres, highlighting risks in equipment that supports uptime in facilities handling critical digital workloads.
The research covers two types of operational technology commonly found in data centre environments: Vertiv uninterruptible power supply network cards and the Trane Tracer SC+ automated HVAC controller.
The Vertiv findings involve two critical vulnerabilities in network cards attached to uninterruptible power supply systems, which keep equipment running during power outages and protect infrastructure from sudden power fluctuations.
Because servers, routers and control systems depend on those devices during power problems, a successful compromise could disrupt operations across a facility. In a data centre, the impact could extend beyond a single device because the equipment is closely tied to core infrastructure.
The second set of findings involves a chain of severe vulnerabilities in the Trane Tracer SC+ controller, which is used in building management and HVAC environments central to maintaining temperature and operating conditions in data centres.
According to the research, the flaws could allow unauthenticated remote code execution if exploited together. In practice, that means an attacker could potentially gain remote control of the system without prior access credentials.
HVAC systems are especially important in data centres because cooling failures can quickly affect computing equipment. If building management systems are disrupted, operators may face service interruptions as well as risks to hardware and wider facility operations.
Claroty placed the findings in the context of growing reliance on data centres as artificial intelligence workloads increase. Outages in such facilities can cost hundreds of thousands of dollars per hour, raising the stakes for operators managing both cyber security and physical systems.
The findings also underscore how data centres are increasingly viewed as part of critical infrastructure. Attackers seeking disruption may see supporting systems such as power and cooling controls as attractive targets because interference can have immediate operational consequences.
Operational risk
The issues involve cyber-physical systems, where a digital compromise can affect physical operations. In data centres, that means an attack on support equipment could interrupt computing services even if the servers themselves are not directly breached.
This distinction matters because security planning in data centres has often focused on IT assets and data protection. The vulnerabilities highlighted here affect operational systems that manage electricity continuity and environmental control, both of which are essential to keeping facilities online.
Claroty said it disclosed the vulnerabilities to Trane and Vertiv before publication and that both vendors worked on remediation. The findings were not presented as unresolved exposures left in the field without manufacturer notice.
The disclosure process matters in industrial and building systems because operators often need vendor guidance before patching or changing configurations. Unlike standard office technology, devices in live operational environments are usually updated with caution to avoid accidental downtime.
For data centre operators, the findings are likely to reinforce the need to assess the security of ancillary systems alongside mainstream network and server defences. Power equipment, cooling controls and building management platforms are often integrated into wider monitoring environments, potentially expanding the attack surface if not tightly managed.
The research also adds to broader industry concerns about how legacy assumptions in operational technology can clash with internet-connected management functions. Features designed for remote administration and efficiency can become weak points when authentication, segmentation or patching practices lag behind current threats.
Amir Preminger, Chief Technology Officer at Claroty and Head of Team82, linked the findings to resilience planning in data centre operations. "The types of vulnerabilities found in Team82's research represent why data centres must make a fundamental shift in how they redefine their cyber and operational resilience goals, given that a single cyber incident can lead to physical disruption, create safety hazards, or cause catastrophic downtime," Preminger said.
He said the research showed an immediate operational risk for operators. "Our research shows that the risk to data centre stability is very real and very present. Data centre operators must move quickly to treat CPS protection as a business imperative to drive risk reduction and maintain operational uptime," Preminger said.