PatchSiren cyber security CVE debrief

CVE-2024-41717 Kieback & Peter CVE debrief

CVE-2024-41717 is a critical path traversal vulnerability in Kieback&Peter DDC4000 series building automation controllers, published on October 17, 2024. The vulnerability allows unauthenticated remote attackers to read arbitrary files on affected systems, with a CVSS 3.1 score of 9.8 (Critical). The flaw affects ten distinct product variants across two controller generations: legacy DDC4002, DDC4100, DDC4200, DDC4200-L, and DDC4400 controllers (firmware versions ≤1.12.14 or ≤1.7.4), as well as newer DDC4002e, DDC4020e, DDC4040e, DDC4200e, and DDC4400e controllers (firmware ≤1.17.6). The path traversal weakness enables file disclosure without authentication, exposing sensitive system data to network-based attackers. CISA coordinated disclosure of this vulnerability through advisory ICSA-24-291-05. Remediation paths diverge by product generation: the five legacy controller models have reached end-of-life status and receive no further security updates, requiring migration to supported hardware or strict network segmentation; the five extended 'e' series controllers have vendor-supported firmware updates available. Kieback&Peter recommends firmware upgrade to version 1.21.0 or later for all supported DDC systems, with direct contact to local offices required to obtain patches. Organizations operating these building automation controllers in OT environments should prioritize inventory verification, network isolation assessment, and firmware update coordination given the unauthenticated exploitation vector and critical severity rating.

Vendor: Kieback & Peter
Product: DDC4002
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-10-17
Original CVE updated: 2024-10-17
Advisory published: 2024-10-17
Advisory updated: 2024-10-17

Who should care

Organizations operating Kieback&Peter building automation systems, critical infrastructure facilities using DDC4000 series controllers for HVAC and environmental control, OT security teams managing building management system (BMS) networks, and facility managers responsible for lifecycle management of automation hardware

Technical summary

Path traversal vulnerability in Kieback&Peter DDC4000 series building automation controllers allows unauthenticated remote attackers to read arbitrary files via directory traversal sequences. Affects 10 product variants: DDC4002 (≤1.12.14), DDC4100 (≤1.7.4), DDC4200 (≤1.12.14), DDC4200-L (≤1.12.14), DDC4400 (≤1.12.14), DDC4002e (≤1.17.6), DDC4020e (≤1.17.6), DDC4040e (≤1.17.6), DDC4200e (≤1.17.6), and DDC4400e (≤1.17.6). CVSS 3.1: 9.8 (Critical). Legacy non-'e' models are end-of-life with no patches; 'e' series models have firmware 1.21.0 available through vendor contact.

Defensive priority

critical

Recommended defensive actions

Inventory all Kieback&Peter DDC4000 series controllers in your environment to identify affected models and firmware versions
For DDC4002, DDC4100, DDC4200, DDC4200-L, and DDC4400 (legacy non-'e' models): implement strict network segmentation to isolate these EOL devices from untrusted networks; plan migration to supported DDC4002e, DDC4020e, D
For DDC4002e, DDC4020e, DDC4040e, DDC4200e, and DDC4400e controllers: contact your local Kieback&Peter office to obtain and apply firmware version 1.21.0 or later
Restrict network access to affected controllers at the perimeter and segment within OT networks to limit exposure of unauthenticated path traversal attack surface
Monitor for anomalous file access patterns or unexpected HTTP requests to controller web interfaces that may indicate exploitation attempts
Review and apply CISA ICS recommended practices for defense-in-depth strategies in building automation environments

Evidence notes

Vulnerability description and affected product list derived from CISA CSAF advisory ICSA-24-291-05. CVSS score and vector from official CVE record. Remediation guidance extracted from vendor-provided CSAF remediations section. End-of-life status for legacy controllers explicitly stated in vendor fix remediation category.

Official resources

coordinated