Skip to main content

Kieback & Peter DDC EUVDEUVD-2026-31125

| CVE-2026-4293 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-20 icscert GHSA-964f-6vjj-5rw5
5.3
CVSS 3.1 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from Vendor (icscert) · only source for this CVE.

CVSS VectorVendor: icscert

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 16:02 vuln.today

DescriptionCVE.org

The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.

AnalysisAI

Cross-site scripting in Kieback & Peter DDC building automation controllers allows a network-accessible attacker to inject and execute arbitrary JavaScript within a victim's browser session when interacting with the device's web interface. Affected models span the full DDC4000 product line - DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400, and their 'E' variants (DDC4002E, DDC4020E, DDC4040E, DDC4200E, DDC4400E) - representing widely deployed OT/ICS building management infrastructure. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the ICS context elevates concern given the physical-world impact of compromised building controllers.

Technical ContextAI

The affected devices are Direct Digital Controllers (DDCs) manufactured by Kieback & Peter, used in building automation systems (BAS) to manage HVAC, environmental controls, and related physical infrastructure. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored/Reflected XSS), indicating the device's embedded web interface fails to sanitize user-supplied input before rendering it in a browser context. CPE data confirms ten distinct product models are affected, all under the cpe:2.3:a:kieback_&_peter namespace, with version ranges fully wildcarded - implying no firmware version has been confirmed as patched. A notable anomaly exists in the CVSS vector: UI:N (no user interaction required) is atypical for CWE-79, which normally requires a victim to load or interact with a page. This may indicate a stored XSS variant that auto-executes on page load, but this cannot be confirmed from available data alone.

RemediationAI

Consult the CISA ICS advisory ICSA-26-139-05 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05 for vendor-specific patch or firmware upgrade guidance - no exact patched firmware version was available in the data provided, so the vendor advisory is the authoritative source. As a compensating control, restrict network access to the DDC web management interfaces by placing devices behind a dedicated building automation network segment or industrial DMZ and blocking direct internet exposure; this limits the pool of potential attackers who could inject or deliver XSS payloads. Where feasible, require VPN or jump-host access for any remote administration sessions to prevent unauthenticated browser-based attacks. Operators should be advised not to follow unsolicited links or access DDC interfaces from untrusted browser sessions. Content Security Policy (CSP) headers, if configurable at the device level, could reduce XSS impact, but this depends on firmware capability not confirmed in available data.

Share

EUVD-2026-31125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy