KNX Protocol CVE-2023-4346 KEV exploitation
Summary
CISA added CVE-2023-4346 to the Known Exploited Vulnerabilities catalog on July 15, 2026. The issue affects KNX Protocol Connection Authorization Option 1 and is described as an overly restrictive account-lockout mechanism that can allow an attacker to purge devices without additional security options enabled and set a BCU key that locks the device.
The public KEV entry does not name an actor or campaign. The durable defender signal is active exploitation against building-automation / smart-building control environments where KNX is deployed, with a CISA remediation due date of July 29, 2026 for covered organizations.
Tags
- ops
- active exploitation
- CISA KEV
- ICS
- OT
- building automation
- smart building
- KNX
- KNX Association
- KNX Protocol
- CVE-2023-4346
- BCU key
- device lockout
- account lockout
- operational technology
- physical systems
Why this matters
- KNX is used in building automation, including lighting, HVAC, access-control-adjacent automation, shutters, energy management, and facility-control integrations.
- CVE-2023-4346 is not a conventional data-theft bug. CISA's description emphasizes device purging and BCU-key setting, which can create denial-of-control or recovery problems in physical environments.
- The KEV addition means CISA has credible evidence of exploitation in the wild, even though public reporting has not yet tied activity to a named actor.
- Building automation systems often sit in weakly segmented facility networks, vendor remote-access paths, or integrator-managed environments. A device-lockout primitive can be operationally disruptive even when it does not provide traditional IT-domain compromise.
Public vulnerability detail
- Affected technology: KNX Protocol Connection Authorization Option 1.
- Vulnerability: overly restrictive account lockout mechanism.
- Reported impact: attacker can purge all devices without additional security options enabled and set a BCU key to lock the device.
- CISA KEV date added: July 15, 2026.
- CISA due date: July 29, 2026.
- Ransomware use: unknown in the KEV record.
- Primary public advisory: CISA ICS advisory ICSA-23-236-01.
Defender heuristics
- Inventory KNX installations, KNX/IP routers, engineering workstations, facility-management servers, vendor remote-access paths, and any building-automation networks bridged to enterprise IT.
- Review CISA ICSA-23-236-01 and vendor/integrator guidance for the exact affected configuration and mitigation steps for Connection Authorization Option 1.
- Enable stronger KNX security options where supported. Do not rely on legacy authorization modes for devices that control critical building functions.
- Restrict KNX/IP exposure to dedicated management networks and approved engineering hosts. Block internet exposure and unmanaged cross-VLAN access.
- Preserve device configuration exports, ETS project files, controller backups, and integrator documentation before remediation so that purged or locked devices can be recovered.
- Hunt for unexpected BCU-key changes, device purges, unexplained device offline states, failed engineering-tool access, abnormal KNX/IP tunneling sessions, and remote-access activity around facility networks.
- Coordinate with facilities, OT, physical security, and integrators before applying changes. Recovery actions can affect lighting, HVAC, access-control-adjacent workflows, and safety-relevant building operations.
Related pages
- Lantronix EDS5000 CVE-2025-67038 exploitation
- Ubiquiti UniFi OS CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 exploitation
- Tenda firmware CVE-2026-11405 hidden authentication backdoor
Sources
- CISA KEV catalog: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- CISA ICS advisory ICSA-23-236-01: https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-01
- NVD CVE-2023-4346: https://nvd.nist.gov/vuln/detail/CVE-2023-4346