‹ Back to ICS Advisories

Kieback & Peter DDC Building Controllers

MEDIUM

CVSS 5.3

Date 2026-05-19T06:00:00+00:00

Source cisa-csaf

Published by CISA

// Description

Successful exploitation of this vulnerability could allow an attacker to take control of the victim's browser.

// Vulnerabilities (1)

CVE ID	CVSS Score	Severity	Description
CVE-2026-4293	5.3	medium	The affected products are vulnerable to cross-site scripting (XSS), enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.

// Remediations (13)

Patch: Update the firmware to the latest available version: DDC4002e -> Update to version 1.23.5 or newer

Update the firmware to the latest available version: DDC4002e -> Update to version 1.23.5 or newer

Patch: Update the firmware to the latest available version: DDC4400e -> Update to version 1.23.5 or newer

Update the firmware to the latest available version: DDC4400e -> Update to version 1.23.5 or newer

Patch: Update the firmware to the latest available version: DDC4040e -> Update to version 1.23.5 or newer

Update the firmware to the latest available version: DDC4040e -> Update to version 1.23.5 or newer

Patch: For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter re

For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter recommends the following safety measure: Restrict network access to the device

Mitigation: Kieback & Peter DDC Building Controllers are developed and designed for use in closed building autom

Kieback & Peter DDC Building Controllers are developed and designed for use in closed building automation networks. The system is protected by a multi-level perimeter against attacks, especially from outside, by dividing it into operational technology (OT) zones with firewalls. Building automation systems (BA systems) in general should not be directly accessible from untrusted networks, especially from the Internet, but should be protected by consistently applying the defense-in-depth strategy. This concept is supported by organizational measures in the building as part of a safety management system. In order to achieve safety, measures are required at all levels.

Patch: For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter re

For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter recommends the following safety measure: Do not directly connect the device to the Internet

Patch: Update the firmware to the latest available version: DDC4200e -> Update to version 1.23.5 or newer

Update the firmware to the latest available version: DDC4200e -> Update to version 1.23.5 or newer

Patch: The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore t

The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: These devices must be operated in a strictly separate OT environment.

Patch: The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore t

The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Only trusted individuals should be granted network access to the DDC web portal.

Patch: Update the firmware to the latest available version: DDC4020e -> Update to version 1.23.5 or newer

Update the firmware to the latest available version: DDC4020e -> Update to version 1.23.5 or newer

Patch: Update the firmware to the latest available version: DDC520 -> Update to version 1.24.2 or newer

Update the firmware to the latest available version: DDC520 -> Update to version 1.24.2 or newer

Patch: The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore t

The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Users should be informed that only links from trusted sources should be used to access the web service.

Patch: The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore t

The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Access to the web portal should be disabled in the device configuration if not required.

Kieback & Peter DDC Building Controllers

// Description

// Vulnerabilities (1)

// Remediations (13)

// References