Cross‑Site Scripting (CVE‑2026‑4293) in Kieback & Peter DDC Building Controllers Enables Browser Takeover
What It Is – A reflected XSS flaw (CVE‑2026‑4293) in the web interface of Kieback & Peter DDC building‑automation controllers allows an attacker to inject malicious JavaScript and seize control of a victim’s browser session.
Exploitability – Public advisory; proof‑of‑concept scripts are available. No known active ransomware or bot‑net campaigns, but the low barrier to exploitation (any unauthenticated web request) makes it readily weaponizable. CVSS v3.1 base score 5.3 (Moderate).
Affected Products – All firmware versions ≤ 1.12.14 for DDC4002, DDC4100, DDC4200, DDC4200‑L, DDC4400 and ≤ 1.23.4 for the “e” series (DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e) plus DDC520 ≤ 1.24.1.
TPRM Impact – These controllers are deployed in commercial facilities, hospitals, data‑centers, and government sites across Europe, the Middle East and Asia. A compromised controller can be used to pivot into internal networks, harvest credentials, or manipulate building‑system data, creating a supply‑chain foothold that threatens downstream tenants and service providers.
Recommended Actions –
- Inventory all Kieback & Peter DDC devices and verify firmware versions.
- Apply the vendor‑released patches (or upgrade to firmware > 1.12.14 / > 1.23.4 / > 1.24.1 as applicable).
- If patching is delayed, block external access to the controller’s web UI via firewall or VPN‑only access.
- Conduct a focused penetration test on the affected UI to confirm remediation.
- Update third‑party risk registers and notify affected business units.
Source: CISA Advisory – ICSA‑26‑139‑05