Claroty has published research identifying vulnerabilities in two types of equipment commonly used in Australian data centres: Vertiv uninterruptible power supply (UPS) network cards and Trane Technologies’ Tracer SC+ HVAC controller.
The company said data centres are increasingly targeted by threat actors seeking operational disruption, and warned that exploitation of vulnerabilities in operational technology and building management systems could lead to downtime and wider impacts on services that rely on data centre availability.
Claroty’s key findings include two critical vulnerabilities in Vertiv UPS network cards, which are used to keep equipment running during power outages. The research said a compromise of such devices could lead to operational disruption, given the reliance of computing environments on UPS systems.
The research also identified a chain of vulnerabilities in the Trane Tracer SC+ automated HVAC controller. Claroty said the issues could allow unauthenticated remote code execution, potentially enabling an attacker to gain control of a building management component from outside the environment.
Claroty linked the findings to rising operational and financial stakes for data centres, citing estimates that downtime costs can exceed hundreds of thousands of dollars per hour. The company said increased reliance on AI workloads has raised the criticality of continuous uptime and reinforced the view of data centres as critical infrastructure.
“Given that a single cyber incident can lead to physical disruption, create safety hazards, or cause catastrophic downtime, data centres must make a fundamental shift in how they redefine their cyber and operational resilience goals,” said Amir Preminger, CTO of Claroty and head of its Team82 research group.
Claroty said its Team82 researchers presented the work at the SANS ICS Security Summit in Orlando, Florida, in a session titled “New Kind of Critical Infrastructure—Uncovering Vulnerabilities in AI Data Centre Equipment.”
The company said it responsibly disclosed the issues to Trane and Vertiv, and that remediation was completed prior to publication.
