CVE-2026-4293 PUBLISHED

Kieback & Peter DDC Building Controllers Cross-site Scripting

Assigner: icscert
Reserved: 16.03.2026 Published: 20.05.2026 Updated: 20.05.2026

The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Kieback & Peter
Product	DDC4002
Versions	Default: unaffected affected from 0 to 1.12.14 (incl.)

Vendor	Kieback & Peter
Product	DDC4100
Versions	Default: unaffected affected from 0 to 1.12.14 (incl.)

Vendor	Kieback & Peter
Product	DDC4200
Versions	Default: unaffected affected from 0 to 1.12.14 (incl.)

Vendor	Kieback & Peter
Product	DDC4200-L
Versions	Default: unaffected affected from 0 to 1.12.14 (incl.)

Vendor	Kieback & Peter
Product	DDC4400
Versions	Default: unaffected affected from 0 to 1.12.14 (incl.)

Vendor	Kieback & Peter
Product	DDC4002e
Versions	Default: unaffected affected from 0 to 1.23.4 (incl.)

Vendor	Kieback & Peter
Product	DDC4200e
Versions	Default: unaffected affected from 0 to 1.23.4 (incl.)

Vendor	Kieback & Peter
Product	DDC4400e
Versions	Default: unaffected affected from 0 to 1.23.4 (incl.)

Vendor	Kieback & Peter
Product	DDC4020e
Versions	Default: unaffected affected from 0 to 1.23.4 (incl.)

Vendor	Kieback & Peter
Product	DDC4040e
Versions	Default: unaffected affected from 0 to 1.23.4 (incl.)

Vendor	Kieback & Peter
Product	DDC520
Versions	Default: unaffected affected from 0 to 1.24.1 (incl.)

Workarounds

For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter

recommends the following safety measures:

Restrict network access to the device
Do not directly connect the device to the Internet

Solutions

For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, update the firmware to the latest available version:

DDC4002e: Update to version 1.23.5 or newer
DDC4200e: Update to version 1.23.5 or newer
DDC4400e: Update to version 1.23.5 or newer
DDC4020e: Update to version 1.23.5 or newer
DDC4040e: Update to version 1.23.5 or newer
DDC520: Update to version 1.24.2 or newer

Credits

Maximilian Hildebrand of G DATA Advanced Analytics reported this vulnerability to CISA. finder

References

Problem Types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE