CVE-2026-4293

Vulnerability

A cross-site scripting (XSS) vulnerability exists in multiple Kieback & Peter DDC building controller product lines. The issue stems from improper neutralization of input during web page generation (CWE-79) [1]. Affected versions include DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400 (all ≤1.12.14), DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e (all ≤1.23.4), and DDC520 (≤1.24.1) [1][2].

Exploitation

An attacker must deliver a crafted script to a victim who is using the vulnerable web interface of the DDC controller. No authentication or prior access to the device is explicitly required from the available references; the vulnerability is triggered when the victim's browser renders malicious input that was not sanitized [1][2].

Impact

Successful exploitation enables JavaScript execution in the victim's browser, allowing the attacker to control the browser. This could lead to further actions such as session hijacking, defacement, or redirection to malicious sites, all within the context of the building controller's web application [1].

Mitigation

Kieback & Peter recommends updating affected devices to the latest firmware versions. As of CISA advisory ICSA-26-139-05, specific patched version numbers are not publicly listed, but users should contact Kieback & Peter support for remediation guidance [1][2]. No workaround is documented in the available references.