← Back to home
ICSA-26-139-05  ·  Published 2026-05-19  ·  View on CISA ICS-CERT ↗

Kieback & Peter DDC Building Controllers

CVSS 5.3 MEDIUM

Risk Summary

Successful exploitation of this vulnerability could allow an attacker to take control of the victim's browser.

CVEs (1)

Remediations

  • Kieback & Peter DDC Building Controllers are developed and designed for use in closed building automation networks. The system is protected by a multi-level perimeter against attacks, especially from outside, by dividing it into operational technology (OT) zones with firewalls. Building automation systems (BA systems) in general should not be directly accessible from untrusted networks, especially from the Internet, but should be protected by consistently applying the defense-in-depth strategy. This concept is supported by organizational measures in the building as part of a safety management system. In order to achieve safety, measures are required at all levels.
  • The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: These devices must be operated in a strictly separate OT environment.
  • The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Only trusted individuals should be granted network access to the DDC web portal.
  • The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Access to the web portal should be disabled in the device configuration if not required.
  • The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Users should be informed that only links from trusted sources should be used to access the web service.
  • For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter recommends the following safety measure: Restrict network access to the device
  • For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter recommends the following safety measure: Do not directly connect the device to the Internet
  • Update the firmware to the latest available version: DDC4002e -> Update to version 1.23.5 or newer
  • Update the firmware to the latest available version: DDC4200e -> Update to version 1.23.5 or newer
  • Update the firmware to the latest available version: DDC4400e -> Update to version 1.23.5 or newer
  • Update the firmware to the latest available version: DDC4020e -> Update to version 1.23.5 or newer
  • Update the firmware to the latest available version: DDC4040e -> Update to version 1.23.5 or newer
  • Update the firmware to the latest available version: DDC520 -> Update to version 1.24.2 or newer

Affected Vendors

Kieback & Peter

Affected Products (11)

Kieback & Peter · DDC4002 <=1.12.14
Kieback & Peter · DDC4100 <=1.12.14
Kieback & Peter · DDC4200 <=1.12.14
Kieback & Peter · DDC4200-L <=1.12.14
Kieback & Peter · DDC4400 <=1.12.14
Kieback & Peter · DDC4002e <=1.23.4
Kieback & Peter · DDC4200e <=1.23.4
Kieback & Peter · DDC4400e <=1.23.4
Kieback & Peter · DDC4020e <=1.23.4
Kieback & Peter · DDC4040e <=1.23.4
Kieback & Peter · DDC520 <=1.24.1

Affected Sectors

Commercial Facilities, Communications, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more