{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4293", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-03-16T17:01:03.386Z", "datePublished": "2026-05-20T14:39:59.812Z", "dateUpdated": "2026-05-20T14:45:45.161Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-05-20T14:45:45.161Z"}, "title": "Kieback & Peter DDC Building Controllers Cross-site Scripting", "datePublic": "2026-05-19T14:26:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Kieback & Peter", "product": "DDC4002", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.14", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC4100", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.14", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC4200", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.14", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC4200-L", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.14", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC4400", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.14", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC4002e", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.23.4", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC4200e", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.23.4", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC4400e", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.23.4", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC4020e", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.23.4", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC4040e", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.23.4", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Kieback & Peter", "product": "DDC520", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.24.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The affected\u00a0Kieback & Peter DDC building controllers\u00a0are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The affected&nbsp;Kieback &amp; Peter DDC building controllers&nbsp;are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser."}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "workarounds": [{"lang": "en", "value": "Kieback & Peter DDC Building Controllers are developed and designed \nfor use in closed building automation networks. The system is protected \nby a multi-level perimeter against attacks, especially from outside, by \ndividing it into operational technology (OT) zones with firewalls. \nBuilding automation systems (BA systems) in general should not be \ndirectly accessible from untrusted networks, especially from the \nInternet, but should be protected by consistently applying the \ndefense-in-depth strategy. This concept is supported by organizational \nmeasures in the building as part of a safety management system. In order\n to achieve safety, measures are required at all levels.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Kieback &amp; Peter DDC Building Controllers are developed and designed \nfor use in closed building automation networks. The system is protected \nby a multi-level perimeter against attacks, especially from outside, by \ndividing it into operational technology (OT) zones with firewalls. \nBuilding automation systems (BA systems) in general should not be \ndirectly accessible from untrusted networks, especially from the \nInternet, but should be protected by consistently applying the \ndefense-in-depth strategy. This concept is supported by organizational \nmeasures in the building as part of a safety management system. In order\n to achieve safety, measures are required at all levels."}]}, {"lang": "en", "value": "The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are \nend-of-maintenance, therefore the recommendations for these devices are \nas follows:\u00a0\n\n * These devices must be operated in a strictly separate OT \nenvironment.\n * \nOnly trusted \nindividuals should be granted network access to the DDC web portal.\n * \n\u00a0Access to the web \nportal should be disabled in the device configuration if not required.\n * \n\u00a0Users should be \ninformed that only links from trusted sources should be used to access \nthe web service.\n * \n\u00a0Restrict network access to the \ndevice\n * \n\u00a0Do not directly connect the \ndevice to the Internet", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are \nend-of-maintenance, therefore the recommendations for these devices are \nas follows:&nbsp;</p><ul><li>These devices must be operated in a strictly separate OT \nenvironment.</li><li>\nOnly trusted \nindividuals should be granted network access to the DDC web portal.</li><li>\n&nbsp;Access to the web \nportal should be disabled in the device configuration if not required.</li><li>\n&nbsp;Users should be \ninformed that only links from trusted sources should be used to access \nthe web service.</li><li>\n&nbsp;Restrict network access to the \ndevice</li><li>\n&nbsp;Do not directly connect the \ndevice to the Internet</li></ul>"}]}, {"lang": "en", "value": "For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers,\u00a0\nKieback & Peter\n\nrecommends the following safety measures: \n\n\n * Restrict network access to the device\n * Do not directly connect the device to the Internet", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers,&nbsp;\nKieback &amp; Peter\n\nrecommends the following safety measures: </p>\n<ul><li>Restrict network access to the device</li><li>Do not directly connect the device to the Internet </li></ul>"}]}], "solutions": [{"lang": "en", "value": "For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, update the firmware to the latest available version:\u00a0\n\n * DDC4002e: Update to version 1.23.5 or newer\n * \nDDC4200e: Update to version 1.23.5 or newer\n * \nDDC4400e: Update to version 1.23.5 or newer\n * \nDDC4020e: Update to version 1.23.5 or newer\n * \nDDC4040e: Update to version 1.23.5 or newer\n * \nDDC520: Update to version 1.24.2 or newer", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>\nFor DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, update the firmware to the latest available version:&nbsp;</p><ul><li>DDC4002e: Update to version 1.23.5 or newer</li><li>\nDDC4200e: Update to version 1.23.5 or newer</li><li>\nDDC4400e: Update to version 1.23.5 or newer</li><li>\nDDC4020e: Update to version 1.23.5 or newer</li><li>\nDDC4040e: Update to version 1.23.5 or newer</li><li>\nDDC520: Update to version 1.24.2 or newer</li></ul>"}]}], "credits": [{"lang": "en", "value": "Maximilian Hildebrand of G DATA Advanced Analytics reported this vulnerability to CISA.", "type": "finder"}], "source": {"advisory": "ICSA-26-139-05", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}

{}

{}

{}

{}