{"api_version":"1","generated_at":"2026-06-03T07:20:23+00:00","cve":"CVE-2026-4293","urls":{"html":"https://cve.report/CVE-2026-4293","api":"https://cve.report/api/cve/CVE-2026-4293.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-4293","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-4293"},"summary":{"title":"Kieback & Peter DDC Building Controllers Cross-site Scripting","description":"The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.","state":"PUBLISHED","assigner":"icscert","published_at":"2026-05-20 16:16:26","updated_at":"2026-05-20 17:30:40"},"problem_types":["CWE-79","CWE-79 CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"],"metrics":[{"version":"3.1","source":"ics-cert@hq.dhs.gov","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json","name":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json","refsource":"ics-cert@hq.dhs.gov","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05","name":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05","refsource":"ics-cert@hq.dhs.gov","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-4293","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4293","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4002","version":"affected 1.12.14 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4100","version":"affected 1.12.14 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4200","version":"affected 1.12.14 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4200-L","version":"affected 1.12.14 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4400","version":"affected 1.12.14 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4002e","version":"affected 1.23.4 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4200e","version":"affected 1.23.4 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4400e","version":"affected 1.23.4 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4020e","version":"affected 1.23.4 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC4040e","version":"affected 1.23.4 custom","platforms":[]},{"source":"CNA","vendor":"Kieback & Peter","product":"DDC520","version":"affected 1.24.1 custom","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, update the firmware to the latest available version: \n\n * DDC4002e: Update to version 1.23.5 or newer\n * \nDDC4200e: Update to version 1.23.5 or newer\n * \nDDC4400e: Update to version 1.23.5 or newer\n * \nDDC4020e: Update to version 1.23.5 or newer\n * \nDDC4040e: Update to version 1.23.5 or newer\n * \nDDC520: Update to version 1.24.2 or newer","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Kieback & Peter DDC Building Controllers are developed and designed \nfor use in closed building automation networks. The system is protected \nby a multi-level perimeter against attacks, especially from outside, by \ndividing it into operational technology (OT) zones with firewalls. \nBuilding automation systems (BA systems) in general should not be \ndirectly accessible from untrusted networks, especially from the \nInternet, but should be protected by consistently applying the \ndefense-in-depth strategy. This concept is supported by organizational \nmeasures in the building as part of a safety management system. In order\n to achieve safety, measures are required at all levels.","time":"","lang":"en"},{"source":"CNA","title":"","value":"The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are \nend-of-maintenance, therefore the recommendations for these devices are \nas follows: \n\n * These devices must be operated in a strictly separate OT \nenvironment.\n * \nOnly trusted \nindividuals should be granted network access to the DDC web portal.\n * \n Access to the web \nportal should be disabled in the device configuration if not required.\n * \n Users should be \ninformed that only links from trusted sources should be used to access \nthe web service.\n * \n Restrict network access to the \ndevice\n * \n Do not directly connect the \ndevice to the Internet","time":"","lang":"en"},{"source":"CNA","title":"","value":"For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, \nKieback & Peter\n\nrecommends the following safety measures: \n\n\n * Restrict network access to the device\n * Do not directly connect the device to the Internet","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Maximilian Hildebrand of G DATA Advanced Analytics reported this vulnerability to CISA.","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"4293","cve":"CVE-2026-4293","epss":"0.000400000","percentile":"0.122720000","score_date":"2026-05-27","updated_at":"2026-05-28 00:02:13"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-4293","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-20T15:28:18.234158Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-20T15:28:28.317Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"DDC4002","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.12.14","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC4100","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.12.14","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC4200","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.12.14","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC4200-L","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.12.14","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC4400","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.12.14","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC4002e","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.23.4","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC4200e","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.23.4","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC4400e","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.23.4","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC4020e","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.23.4","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC4040e","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.23.4","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"DDC520","vendor":"Kieback & Peter","versions":[{"lessThanOrEqual":"1.24.1","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Maximilian Hildebrand of G DATA Advanced Analytics reported this vulnerability to CISA."}],"datePublic":"2026-05-19T14:26:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser."}],"value":"The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-20T14:45:45.161Z","orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert"},"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05"},{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

\nFor DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, update the firmware to the latest available version: 

"}],"value":"For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, update the firmware to the latest available version: \n\n * DDC4002e: Update to version 1.23.5 or newer\n * \nDDC4200e: Update to version 1.23.5 or newer\n * \nDDC4400e: Update to version 1.23.5 or newer\n * \nDDC4020e: Update to version 1.23.5 or newer\n * \nDDC4040e: Update to version 1.23.5 or newer\n * \nDDC520: Update to version 1.24.2 or newer"}],"source":{"advisory":"ICSA-26-139-05","discovery":"EXTERNAL"},"title":"Kieback & Peter DDC Building Controllers Cross-site Scripting","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Kieback & Peter DDC Building Controllers are developed and designed \nfor use in closed building automation networks. The system is protected \nby a multi-level perimeter against attacks, especially from outside, by \ndividing it into operational technology (OT) zones with firewalls. \nBuilding automation systems (BA systems) in general should not be \ndirectly accessible from untrusted networks, especially from the \nInternet, but should be protected by consistently applying the \ndefense-in-depth strategy. This concept is supported by organizational \nmeasures in the building as part of a safety management system. In order\n to achieve safety, measures are required at all levels."}],"value":"Kieback & Peter DDC Building Controllers are developed and designed \nfor use in closed building automation networks. The system is protected \nby a multi-level perimeter against attacks, especially from outside, by \ndividing it into operational technology (OT) zones with firewalls. \nBuilding automation systems (BA systems) in general should not be \ndirectly accessible from untrusted networks, especially from the \nInternet, but should be protected by consistently applying the \ndefense-in-depth strategy. This concept is supported by organizational \nmeasures in the building as part of a safety management system. In order\n to achieve safety, measures are required at all levels."},{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are \nend-of-maintenance, therefore the recommendations for these devices are \nas follows: 

"}],"value":"The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are \nend-of-maintenance, therefore the recommendations for these devices are \nas follows: \n\n * These devices must be operated in a strictly separate OT \nenvironment.\n * \nOnly trusted \nindividuals should be granted network access to the DDC web portal.\n * \n Access to the web \nportal should be disabled in the device configuration if not required.\n * \n Users should be \ninformed that only links from trusted sources should be used to access \nthe web service.\n * \n Restrict network access to the \ndevice\n * \n Do not directly connect the \ndevice to the Internet"},{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, \nKieback & Peter\n\nrecommends the following safety measures:

\n"}],"value":"For DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, \nKieback & Peter\n\nrecommends the following safety measures: \n\n\n * Restrict network access to the device\n * Do not directly connect the device to the Internet"}],"x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2026-4293","datePublished":"2026-05-20T14:39:59.812Z","dateReserved":"2026-03-16T17:01:03.386Z","dateUpdated":"2026-05-20T15:28:28.317Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-20 16:16:26","lastModifiedDate":"2026-05-20 17:30:40","problem_types":["CWE-79","CWE-79 CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"],"metrics":{"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"4293","Ordinal":"1","Title":"Kieback & Peter DDC Building Controllers Cross-site Scripting","CVE":"CVE-2026-4293","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"4293","Ordinal":"1","NoteData":"The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.","Type":"Description","Title":"Kieback & Peter DDC Building Controllers Cross-site Scripting"}]}}}