Decoding the world of cybersecurity

Datacentre equipment flaws expose uptime risk

Claroty research into UPS and HVAC equipment shows how datacentre resilience depends on cyber-physical systems that often sit outside normal security governance.

Datacentre equipment flaws expose uptime risk
Summary
  • Claroty has disclosed vulnerabilities affecting power supply network devices and HVAC controllers used in datacentres.
  • The research includes Vertiv UPS network cards and Trane Tracer SC+ building management equipment.
  • Cloud, AI, and regulated services depend on physical support systems that require cyber governance as well as facilities management.

Claroty has disclosed vulnerabilities in datacentre support equipment, including power supply network devices and HVAC controllers, bringing the physical systems behind cloud, AI, public services, and regulated workloads into the resilience conversation.

The company’s Team82 research covers two types of equipment used primarily in datacentres: power supply devices and heating, ventilation, and air conditioning controllers. The findings include vulnerabilities in Vertiv uninterruptible power supply network cards and a chain of severe issues affecting the Trane Tracer SC+ automated HVAC controller.

Claroty’s research disclosure says the UPS vulnerabilities could threaten operational continuity because computing equipment depends on these devices to remain online during power instability or to shut down safely. The Trane controller issues, if weaponised, could allow unauthenticated remote code execution and control over a critical building management system.

No public evidence of exploitation in the wild has been disclosed in the source material. Even so, the affected equipment class is significant. Datacentres are usually discussed through compute capacity, cloud regions, energy consumption, latency, and AI demand. Their resilience also depends on less visible cyber-physical systems: power management, cooling, building automation, environmental monitoring, access control, and maintenance tooling.

Those systems are now part of the digital service chain. A cloud platform can have strong identity controls and mature network segmentation, but manipulated power support or cooling control can turn availability into a physical and operational failure. Attackers do not need to exfiltrate data to create business impact. Disrupting the conditions under which systems keep running can be enough.

As AI demand increases datacentre density and power dependency, resilience pressure on physical infrastructure will grow. High-performance computing environments depend on tight environmental controls. Cooling disruption can force shutdowns. Power instability can damage equipment or trigger failover procedures. Even a contained incident can create customer impact if it affects a shared facility or tightly coupled service environment.

UK and European organisations may be exposed even when they do not operate datacentres directly. Banks, hospitals, government services, telecoms providers, insurers, manufacturers, software companies, and public cloud customers all depend on facilities they may not control. Resilience obligations under regimes such as DORA, NIS2, and sectoral critical infrastructure rules increasingly require organisations to understand dependency chains rather than simply list technology suppliers.

Building management systems often sit in a governance gap. Facilities teams may own them, specialist contractors may maintain them, and vendor remote access arrangements may be required for support. Security accountability can sit outside the normal enterprise security stack. Asset inventories may identify servers and endpoints but miss controllers, network cards, engineering workstations, and remote maintenance paths. Patching may be delayed by uptime concerns or warranty constraints.

The Claroty research therefore sits within a broader shift from IT security to operational resilience. Datacentre security cannot be limited to firewalls, endpoint detection, and identity controls. It also requires knowledge of cyber-physical assets, network exposure, firmware lifecycle, remote access, vendor service accounts, monitoring, segmentation, and incident playbooks that bring facilities and cyber teams into the same response process.

Critical digital services need scenarios that include degraded cooling, power management, or building automation. Customers also need clarity from cloud, hosting, and colocation providers on how incidents affecting physical support systems are detected, contained, reported, and recovered. Contractual resilience commitments are weaker when the customer cannot see how support infrastructure is governed.

Datacentres are increasingly treated as critical infrastructure because the services running inside them have become critical. The vulnerabilities disclosed by Claroty do not prove imminent widespread disruption, but they show how the attack surface around digital infrastructure extends into equipment once treated as operational background. As essential services move deeper into dense cloud and AI environments, the physical layer will need the same disciplined security governance now expected of software, identity, and network infrastructure.

×