Summary
Successful exploitation of this vulnerability could allow an attacker to take control of the victim’s browser.
The following versions of Kieback & Peter DDC Building Controllers are affected:
- DDC4002 <=1.12.14 (CVE-2026-4293)
- DDC4100 <=1.12.14 (CVE-2026-4293)
- DDC4200 <=1.12.14 (CVE-2026-4293)
- DDC4200-L <=1.12.14 (CVE-2026-4293)
- DDC4400 <=1.12.14 (CVE-2026-4293)
- DDC4002e <=1.23.4 (CVE-2026-4293)
- DDC4200e <=1.23.4 (CVE-2026-4293)
- DDC4400e <=1.23.4 (CVE-2026-4293)
- DDC4020e <=1.23.4 (CVE-2026-4293)
- DDC4040e <=1.23.4 (CVE-2026-4293)
- DDC520 <=1.24.1 (CVE-2026-4293)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 5.3 | Kieback & Peter | Kieback & Peter DDC Building Controllers | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
Background
- Critical Infrastructure Sectors: Commercial Facilities, Communications, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology
- Countries/Areas Deployed: Austria, China, France, Germany, United Arab Emirates
- Company Headquarters Location: Germany
Vulnerabilities
CVE-2026-4293
The affected products are vulnerable to cross-site scripting (XSS), enabling JavaScript to be executed by the victim’s browser, which allows the attacker to control the browser.
Affected Products
Kieback & Peter DDC Building Controllers
Kieback & Peter
Kieback & Peter DDC4002: <=1.12.14, Kieback & Peter DDC4100: <=1.12.14, Kieback & Peter DDC4200: <=1.12.14, Kieback & Peter DDC4200-L: <=1.12.14, Kieback & Peter DDC4400: <=1.12.14, Kieback & Peter DDC4002e: <=1.23.4, Kieback & Peter DDC4200e: <=1.23.4, Kieback & Peter DDC4400e: <=1.23.4, Kieback & Peter DDC4020e: <=1.23.4, Kieback & Peter DDC4040e: <=1.23.4, Kieback & Peter DDC520: <=1.24.1
known_affected
Remediations
Mitigation
Kieback & Peter DDC Building Controllers are developed and designed for use in closed building automation networks. The system is protected by a multi-level perimeter against attacks, especially from outside, by dividing it into operational technology (OT) zones with firewalls. Building automation systems (BA systems) in general should not be directly accessible from untrusted networks, especially from the Internet, but should be protected by consistently applying the defense-in-depth strategy. This concept is supported by organizational measures in the building as part of a safety management system. In order to achieve safety, measures are required at all levels.
Vendor fix
The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: These devices must be operated in a strictly separate OT environment.
Vendor fix
The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Only trusted individuals should be granted network access to the DDC web portal.
Vendor fix
The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Access to the web portal should be disabled in the device configuration if not required.
Vendor fix
The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Users should be informed that only links from trusted sources sh
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: