ACCORDING to CISA, the Kieback & Peter DDC Building Controllers advisory highlights a Cross-site Scripting vulnerability (CVE-2026-4293) that could allow an attacker to take control of a victim’s browser. The affected products span multiple DDC Building Controllers, including DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400, DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e, and DDC520, with various firmware ceilings such as <=1.12.14, <=1.23.4, or <=1.24.1 as listed.
The advisory notes a CVSS v3 base score of 5.3 (MEDIUM) and recommends a defence-in-depth approach, emphasising network segmentation, firewalls, and minimising internet exposure to BA systems. It also provides vendor-specific mitigation steps, including operating certain devices in strictly separate OT environments, restricting web portal access, disabling web portal access when not required, and updating firmware to versions such as 1.23.5 or newer for most models and 1.24.2 or newer for DDC520. No known public exploitation was reported to CISA at the time.