CISA Warns of Unpatched XSS Flaw in Kieback & Peter Building Controllers Affecting Critical Infrastructure
CISA disclosed a cross-site scripting vulnerability in multiple Kieback & Peter DDC building controllers, with several end-of-maintenance models receiving no patch and mitigations limited to network segmentation.
CISA has published an advisory for CVE-2026-4293, a cross-site scripting (XSS) vulnerability affecting a wide range of Kieback & Peter DDC building controllers. The flaw, which carries a CVSS v3.1 base score of 5.3 (medium severity), allows an attacker to execute arbitrary JavaScript in the victim's browser and take control of it. The affected products are deployed across critical infrastructure sectors including Commercial Facilities, Healthcare, Government Services, Communications, Financial Services, and Food and Agriculture, with installations reported in Austria, China, France, Germany, the United Arab Emirates, and elsewhere.
The vulnerability stems from improper neutralization of input during web page generation (CWE-79), a classic stored or reflected XSS pattern. An attacker who can trick an authenticated user into clicking a malicious link or visiting a crafted page can hijack the browser session, potentially performing actions on the controller's web interface as the victim. While the CVSS score is moderate, the real-world risk is elevated because many of the affected controllers are deployed in sensitive OT environments where network segmentation is often inconsistent.
A significant concern is that five controller models — the DDC4002, DDC4100, DDC4200, DDC4200-L, and DDC4400 — are end-of-maintenance and will receive no firmware patch. For these devices, Kieback & Peter recommends operating them in a strictly separate OT environment, disabling the web portal if not required, restricting network access to trusted individuals only, and educating users to only follow links from trusted sources. For the newer models — DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e, and DDC520 — the vendor has released firmware updates (versions 1.23.5 and 1.24.2 respectively) that address the vulnerability.
The advisory was coordinated by CISA after Maximilian Hildebrand of G DATA Advanced Analytics reported the vulnerability. CISA's recommended practices include minimizing network exposure for all control system devices, ensuring they are not accessible from the internet, and using VPNs for remote access where necessary. The agency also urges organizations to perform proper impact analysis and risk assessment before deploying defensive measures.
This disclosure highlights a recurring challenge in industrial control system security: legacy hardware that remains in service long after vendor support ends. Building automation systems, which often have lifecycles of 10–20 years, are particularly vulnerable to this pattern. Without a patch, organizations running the end-of-life controllers must rely entirely on compensating controls such as strict network segmentation, which can be difficult to enforce in complex facility environments. The advisory serves as a reminder that OT asset owners should inventory their devices, identify end-of-life equipment, and plan for replacements before vulnerabilities force emergency mitigations.