OTPulse

Kieback & Peter DDC Building Controllers

MonitorCVSS 5.3ICS-CERT ICSA-26-139-05May 19, 2026
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A cross-site scripting (XSS) vulnerability exists in the Kieback & Peter DDC Building Controllers web interface that allows an attacker to inject malicious code into the browser of an authenticated user. If a facility operator clicks on a malicious link while logged into the controller, the attacker can execute arbitrary code in the context of the web session, potentially modifying building automation settings or stealing session tokens. The vulnerability affects DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400, DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e, and DDC520 controllers up to specified firmware versions. Older models (DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400) are end-of-maintenance and will not receive patches; newer models (DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e, DDC520) have patches available. The vendor recommends these systems be isolated in secure OT networks behind firewalls, accessed only by trusted personnel, and that users avoid accessing the web portal through untrusted links.

What this means
What could happen
An attacker who tricks a user into clicking a malicious link or visiting a compromised website could inject code into the DDC controller's web interface, allowing them to manipulate building automation settings such as temperature controls, occupancy detection, or access systems.
Who's at risk
Building automation operators and facility managers who use Kieback & Peter DDC controllers to manage HVAC, lighting, occupancy, and access systems. This affects mid-size facilities (schools, offices, municipal buildings, water authorities, utilities) that rely on these controllers for climate and operations management.
How it could be exploited
An attacker sends a crafted URL or embeds malicious JavaScript in a web page. When a trusted facility operator clicks the link and accesses the DDC web portal, the injected code executes in their browser, allowing the attacker to modify controller settings or exfiltrate configuration data without the user's knowledge.
Prerequisites
  • Network access to the DDC web portal (port 80 or 443)
  • Valid user credentials to log into the web interface
  • User clicks a malicious link or visits a compromised website while authenticated to the DDC portal
remotely exploitablelow complexityaffects building automation systemsend-of-life products without patches available
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
DDC4002≤ 1.12.14Fix available
DDC4100≤ 1.12.14Fix available
DDC4200≤ 1.12.14Fix available
DDC4200-L≤ 1.12.14Fix available
DDC4400≤ 1.12.14Fix available
DDC4002e≤ 1.23.41.23.5 or newer
DDC4200e≤ 1.23.41.23.5 or newer
DDC4400e≤ 1.23.41.23.5 or newer
Remediation & Mitigation
0/6
Do now
0/3
DDC4002
WORKAROUNDFor end-of-maintenance controllers (DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400): disable the web portal in device configuration if not actively needed for operations
All products
HARDENINGRestrict network access to the DDC web portal to only trusted facility management staff and disable external internet access
HARDENINGImplement a firewall rule to block direct access to the DDC controllers from untrusted networks or the internet
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

DDC4002
HOTFIXUpdate DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers to firmware version 1.23.5 or newer
DDC520
HOTFIXUpdate DDC520 controller to firmware version 1.24.2 or newer
Long-term hardening
0/1
HARDENINGTrain facility operators to only access the DDC web portal through official, direct URLs and never through links provided in emails or external websites
View full CISA ICS-CERT advisory
API: /api/v1/advisories/e5bd99d4-bb82-4802-a98b-be1653477f71

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.