# XSS Vulnerability Impacts Kieback & Peter Building Controllers **CISA** has released an advisory regarding a cross-site scripting (XSS) vulnerability affecting various versions of **Kieback & Peter** DDC Building Controllers. The vulnerability, tracked as **CVE-2026-4293**, could allow an attacker to execute arbitrary JavaScript in a victim's browser, potentially leading to full browser control. [View CSAF](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json) ## Affected Products The following **Kieback & Peter** DDC Building Controller versions are affected: * DDC4002 <=1.12.14 (**CVE-2026-4293**) * DDC4100 <=1.12.14 (**CVE-2026-4293**) * DDC4200 <=1.12.14 (**CVE-2026-4293**) * DDC4200-L <=1.12.14 (**CVE-2026-4293**) * DDC4400 <=1.12.14 (**CVE-2026-4293**) * DDC4002e <=1.23.4 (**CVE-2026-4293**) * DDC4200e <=1.23.4 (**CVE-2026-4293**) * DDC4400e <=1.23.4 (**CVE-2026-4293**) * DDC4020e <=1.23.4 (**CVE-2026-4293**) * DDC4040e <=1.23.4 (**CVE-2026-4293**) * DDC520 <=1.24.1 (**CVE-2026-4293**) ## Vulnerability Details ### CVE-2026-4293: Cross-Site Scripting This vulnerability stems from improper neutralization of input during web page generation, leading to a cross-site scripting (XSS) condition. An attacker can inject malicious scripts into the web pages viewed by other users. This allows the attacker to control the browser. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-4293) **CWE:** [CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html) ## Impact Successful exploitation of this vulnerability could allow an attacker to: * Execute arbitrary JavaScript code in the victim's browser. * Steal sensitive information, such as cookies and session tokens. * Deface websites. * Redirect users to malicious websites. * Potentially gain complete control over the user's browser. ## Affected Sectors and Regions This vulnerability poses a risk to organizations in various critical infrastructure sectors, including: * Commercial Facilities * Communications * Financial Services * Food and Agriculture * Government Services and Facilities * Healthcare and Public Health * Information Technology The affected systems are deployed in: * Austria * China * France * Germany * United Arab Emirates ## Mitigation **CISA** recommends the following measures to mitigate the risk of exploitation: * Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. * Implement recommended cybersecurity strategies for proactive defense of ICS assets. * Follow established internal procedures and report suspected malicious activity to **CISA**. * Do not click web links or open attachments in unsolicited email messages. ## Acknowledgements **Maximilian Hildebrand** of **G DATA Advanced Analytics** reported this vulnerability to **CISA**.