Description
The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.
Published: 2026-05-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to embed and execute arbitrary JavaScript in the victim’s web browser when using the Kieback & Peter DDC building controller web interface. By exploiting this cross‑site scripting flaw, an attacker can gain full control of the browser session, enabling actions such as session hijacking, data exfiltration, or further lateral movement. The flaw is a classic input‑validation weakness defined as CWE‑79, leading to lost confidentiality and integrity of sensitive information accessed through the affected browsers.

Affected Systems

Affected products include Kieback & Peter: DDC4002, DDC4002e, DDC4020e, DDC4040e, DDC4100, DDC4200, DDC4200‑L, DDC4200e, DDC4400, DDC4400e, and DDC520. Firmware update guidance is provided for several models: DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e should be upgraded to version 1.23.5 or newer, while DDC520 should be updated to version 1.24.2 or newer. Devices lacking an available firmware fix (e.g., DDC4002, DDC4100, DDC4200, DDC4200‑L, DDC4400) remain end‑of‑maintenance and must be physically isolated and have their web portals disabled if not needed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity risk. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed yet. However, if the control’s web portal is exposed to an external network or accessed by untrusted users, the XSS flaw could be readily triggered, making the risk higher in such environments. Attackers would typically target the device’s HTTP interface from a user’s browser, exploiting reflected input to inject malicious scripts.

Generated by OpenCVE AI on May 20, 2026 at 16:50 UTC.

Remediation

Vendor Solution

For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, update the firmware to the latest available version:  * DDC4002e: Update to version 1.23.5 or newer * DDC4200e: Update to version 1.23.5 or newer * DDC4400e: Update to version 1.23.5 or newer * DDC4020e: Update to version 1.23.5 or newer * DDC4040e: Update to version 1.23.5 or newer * DDC520: Update to version 1.24.2 or newer

Vendor Workaround

Kieback & Peter DDC Building Controllers are developed and designed for use in closed building automation networks. The system is protected by a multi-level perimeter against attacks, especially from outside, by dividing it into operational technology (OT) zones with firewalls. Building automation systems (BA systems) in general should not be directly accessible from untrusted networks, especially from the Internet, but should be protected by consistently applying the defense-in-depth strategy. This concept is supported by organizational measures in the building as part of a safety management system. In order to achieve safety, measures are required at all levels.

OpenCVE Recommended Actions

  • Update firmware to the latest available version for affected controllers (e.g., update to 1.23.5 or newer for DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e and to 1.24.2 or newer for DDC520).
  • For devices without a firmware fix, isolate the controller in a strictly separate OT environment and disable the web portal in device configuration if it is not required.
  • Ensure the controller is not directly connected to the Internet and restrict network access to the device to trusted operators only.

Generated by OpenCVE AI on May 20, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.
Title Kieback & Peter DDC Building Controllers Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-20T15:28:28.317Z

Reserved: 2026-03-16T17:01:03.386Z

Link: CVE-2026-4293

cve-icon Vulnrichment

Updated: 2026-05-20T15:28:24.241Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T16:16:26.003

Modified: 2026-05-20T17:30:40.450

Link: CVE-2026-4293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:00:14Z

Weaknesses