Skip to content

KNX Protocol CVE-2023-4346 KEV exploitation

Summary

CISA added CVE-2023-4346 to the Known Exploited Vulnerabilities catalog on July 15, 2026. The issue affects KNX Protocol Connection Authorization Option 1 and is described as an overly restrictive account-lockout mechanism that can allow an attacker to purge devices without additional security options enabled and set a BCU key that locks the device.

The public KEV entry does not name an actor or campaign. The durable defender signal is active exploitation against building-automation / smart-building control environments where KNX is deployed, with a CISA remediation due date of July 29, 2026 for covered organizations.

Tags

Why this matters

  • KNX is used in building automation, including lighting, HVAC, access-control-adjacent automation, shutters, energy management, and facility-control integrations.
  • CVE-2023-4346 is not a conventional data-theft bug. CISA's description emphasizes device purging and BCU-key setting, which can create denial-of-control or recovery problems in physical environments.
  • The KEV addition means CISA has credible evidence of exploitation in the wild, even though public reporting has not yet tied activity to a named actor.
  • Building automation systems often sit in weakly segmented facility networks, vendor remote-access paths, or integrator-managed environments. A device-lockout primitive can be operationally disruptive even when it does not provide traditional IT-domain compromise.

Public vulnerability detail

  • Affected technology: KNX Protocol Connection Authorization Option 1.
  • Vulnerability: overly restrictive account lockout mechanism.
  • Reported impact: attacker can purge all devices without additional security options enabled and set a BCU key to lock the device.
  • CISA KEV date added: July 15, 2026.
  • CISA due date: July 29, 2026.
  • Ransomware use: unknown in the KEV record.
  • Primary public advisory: CISA ICS advisory ICSA-23-236-01.

Defender heuristics

  1. Inventory KNX installations, KNX/IP routers, engineering workstations, facility-management servers, vendor remote-access paths, and any building-automation networks bridged to enterprise IT.
  2. Review CISA ICSA-23-236-01 and vendor/integrator guidance for the exact affected configuration and mitigation steps for Connection Authorization Option 1.
  3. Enable stronger KNX security options where supported. Do not rely on legacy authorization modes for devices that control critical building functions.
  4. Restrict KNX/IP exposure to dedicated management networks and approved engineering hosts. Block internet exposure and unmanaged cross-VLAN access.
  5. Preserve device configuration exports, ETS project files, controller backups, and integrator documentation before remediation so that purged or locked devices can be recovered.
  6. Hunt for unexpected BCU-key changes, device purges, unexplained device offline states, failed engineering-tool access, abnormal KNX/IP tunneling sessions, and remote-access activity around facility networks.
  7. Coordinate with facilities, OT, physical security, and integrators before applying changes. Recovery actions can affect lighting, HVAC, access-control-adjacent workflows, and safety-relevant building operations.

Sources

  • CISA KEV catalog: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
  • CISA ICS advisory ICSA-23-236-01: https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-01
  • NVD CVE-2023-4346: https://nvd.nist.gov/vuln/detail/CVE-2023-4346