PatchSiren cyber security CVE debrief
CVE-2024-43698 Kieback&Peter CVE debrief
A critical vulnerability in Kieback&Peter DDC4000 series building automation controllers enables unauthenticated attackers to gain full administrative access due to weak default credentials. Published October 17, 2024, this flaw affects ten product variants across both legacy (EOL) and currently supported controller lines. The CVSS 9.8 score reflects network exploitable, low-complexity attacks requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. CISA's advisory indicates that legacy DDC4002, DDC4100, DDC4200, DDC4200-L, and DDC4400 controllers have reached end-of-life and will not receive patches; these should be isolated in strictly segmented OT environments or replaced. For supported DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback&Peter has released firmware version 1.21.0 to address the credential weakness. Organizations should prioritize firmware updates for supported devices and network segmentation for legacy installations, as building automation controllers with admin access could enable attackers to manipulate HVAC, access control, and other critical building systems.
- Vendor
- Kieback&Peter
- Product
- DDC4002
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-17
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-10-17
- Advisory updated
- 2024-10-17
Who should care
Organizations operating Kieback&Peter building automation systems including facility managers, OT security teams, critical infrastructure operators, and building owners with integrated HVAC and access control systems
Technical summary
The Kieback&Peter DDC4000 series building automation controllers ship with weak credentials that allow unauthenticated remote attackers to obtain full administrative privileges. The vulnerability is network-exploitable with low attack complexity and requires no privileges or user interaction. Affected products include five end-of-life controllers (DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400) and five supported controllers (DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e). Legacy controllers will not receive patches; supported controllers can be remediated via firmware 1.21.0.
Defensive priority
critical
Recommended defensive actions
- Contact Kieback&Peter local office to obtain and install firmware version 1.21.0 or later for all supported DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers
- Isolate legacy DDC4002, DDC4100, DDC4200, DDC4200-L, and DDC4400 controllers in strictly segmented OT networks with no internet connectivity
- Plan migration from end-of-life DDC4000 series controllers to supported DDC4002e, DDC4200e, DDC4400e, DDC4020e, or DDC4040e models
- Audit all Kieback&Peter DDC controller deployments for default or weak credentials and enforce strong password policies where configurable
- Implement network monitoring for unauthorized access attempts to DDC controller management interfaces
- Apply defense-in-depth controls per CISA ICS recommended practices for industrial control systems
Evidence notes
CISA CSAF advisory ICSA-24-291-05 published 2024-10-17 identifies weak credentials allowing unauthenticated admin access. Affects 10 product variants: DDC4002 (≤1.12.14), DDC4100 (≤1.7.4), DDC4200 (≤1.12.14), DDC4200-L (≤1.12.14), DDC4400 (≤1.12.14), DDC4002e (≤1.17.6), DDC4200e (≤1.17.6), DDC4400e (≤1.17.6), DDC4020e (≤1.17.6), DDC4040e (≤1.17.6). Legacy controllers (CSAFPID-0001 through 0005) are EOL with no patch available. Supported controllers (CSAFPID-0006 through 0010) have vendor fix via firmware 1.21.0.
Official resources
-
CVE-2024-43698 CVE record
CVE.org
-
CVE-2024-43698 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-17