Executive Summary
CVE-2023-4346 is an overly restrictive account lockout mechanism vulnerability affecting the KNX Association KNX Protocol Connection Authorization Option 1. The flaw allows an attacker to purge all devices on a KNX installation where additional security options are not enabled, and to set a BCU (Bus Coupling Unit) key to permanently lock devices, effectively rendering building automation systems inoperable. CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on July 15, 2026, confirming active real-world exploitation.
KNX is the globally dominant standard for building automation and control networks — managing lighting, HVAC, access control, security systems, and energy management in commercial and residential buildings worldwide.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2023-4346 |
| Affected Product | KNX Protocol Connection Authorization Option 1 |
| Vendor | KNX Association |
| Vulnerability Type | Overly Restrictive Account Lockout Mechanism |
| Attack Prerequisite | Additional security options NOT enabled |
| CISA KEV Status | Added 2026-07-15 |
| CWE | CWE-645: Overly Restrictive Account Lockout Mechanism |
Affected Products
| Product | Component | Notes |
|---|---|---|
| KNX Protocol | Connection Authorization Option 1 | Affected when additional security options are not enabled |
This vulnerability specifically applies to KNX devices and installations that rely on Connection Authorization Option 1 without deploying additional security configurations. Installations using the newer KNX IP Secure or KNX Data Secure extensions may have additional protections in place.
Technical Analysis
What is KNX?
KNX is an open standard for commercial and residential building automation — the backbone of intelligent building control systems worldwide. It is used to control:
- Lighting and blinds/shading
- HVAC (heating, ventilation, air conditioning)
- Access control and alarm systems
- Energy management and metering
- Audio/visual and intercom systems
KNX runs over various physical layers (twisted pair, IP, powerline, RF) and is deployed in millions of commercial buildings, data centers, hospitals, airports, and smart homes globally.
The Vulnerability
Connection Authorization Option 1 in KNX provides a basic access control mechanism using a BCU key (a 4-byte password protecting the device programming interface). The vulnerability arises from a design weakness in how the protocol handles the BCU key protection:
- An attacker with access to the KNX bus (physical or IP) can exploit the overly restrictive lockout mechanism
- By sending specially crafted connection authorization requests, the attacker can purge all device configurations on unprotected devices
- More critically, the attacker can overwrite the BCU key — setting an attacker-controlled key that prevents legitimate administrators from accessing or reprogramming the affected devices
Once the BCU key is overwritten, the devices remain functional but cannot be reconfigured without knowing the new key, which the attacker controls. In the worst case, devices can be locked out permanently if the BCU key is set to a value the attacker does not disclose.
Attack Flow
1. Attacker gains access to the KNX bus network
(physical TP bus access, IP tunnel, or KNXnet/IP gateway)
2. Attacker identifies target devices using standard ETS discovery
3. Attacker sends crafted Connection Authorization requests
4. Devices without additional security options accept the manipulated requests
5. Attacker purges device application programs and group address tables
6. Attacker sets new BCU key value — original administrators locked out
7. Devices remain powered but uncontrollable without attacker's keyWhy This Is Especially Dangerous in OT/Building Automation
Unlike traditional IT systems, building automation devices:
- Run continuously — taking them offline for remediation disrupts business operations
- Are widely networked — a single KNX IP gateway can expose hundreds of bus devices
- Are difficult to audit — building managers often lack visibility into device states
- Have long replacement cycles — hardware is typically not replaced for 10–20 years
- Lack security monitoring — building automation systems rarely have EDR or SIEM coverage
A successful attack could:
- Disable HVAC in data centers or medical facilities, triggering thermal shutdowns
- Lock out access control systems, trapping occupants or blocking emergency response
- Cut lighting in critical operations environments
- Disrupt energy management systems, causing uncontrolled power consumption
Impact Assessment
| Impact Area | Description |
|---|---|
| Device Lockout | BCU key overwrite locks legitimate admins out of all affected devices |
| Configuration Purge | Application programs and group addresses can be wiped from devices |
| Operational Disruption | Building systems (HVAC, lighting, access) become uncontrollable |
| Persistent Denial of Service | Without the new BCU key, recovery requires physical device reset |
| Physical Safety Risk | Critical systems (medical, emergency lighting) may be affected |
Immediate Remediation
Step 1: Enable Additional KNX Security Options
The primary mitigation is to configure KNX installations with the security extensions provided in modern KNX standards:
- KNX IP Secure: Encrypts and authenticates KNX IP communication using TLS and AES-128
- KNX Data Secure: Provides end-to-end encryption and authentication at the data link layer
These options are configurable via the ETS (Engineering Tool Software) programming environment.
Step 2: Audit BCU Key Usage
# In ETS (Engineering Tool Software):
# 1. Check all devices for BCU key protection status
# 2. Document current BCU key values for all critical devices
# 3. Verify BCU keys have not been unexpectedly changed
# 4. Set strong, unique BCU keys on all unprotected devicesStep 3: Restrict KNX Bus Access
# Network segmentation measures:
# - Isolate KNX IP gateways on dedicated VLANs
# - Block public access to KNXnet/IP ports (UDP 3671)
# - Restrict access to ETS programming interfaces
# - Implement access control lists for KNX IP connections
# - Consider IP-based firewalling between IT and OT networksStep 4: Inventory and Assess Exposure
# Identify all KNX IP gateways and tunnels exposed to:
# - Corporate IT network
# - Internet (directly or via forwarding)
# - Wi-Fi networks accessible to visitors
# - Any network not exclusively under building management controlDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected ETS programming connections | Unauthorized ETS sessions from unknown IP addresses |
| BCU key changes | Device BCU keys changed without authorized programming session |
| Group address table erasure | Devices reporting erased application programs |
| KNXnet/IP traffic from unknown sources | Unexpected tunneling connections to KNX IP gateways |
| Device non-responsiveness | Devices that were operational becoming unresponsive to bus commands |
Post-Remediation Checklist
- Enable KNX IP Secure or KNX Data Secure on all applicable devices and gateways
- Audit all device BCU keys — verify they have not been altered
- Document and store BCU keys in a secure password management system
- Restrict KNXnet/IP gateway access to authorized management systems only
- Review ETS access logs for unauthorized programming connections
- Apply firmware updates for all KNX IP gateways — check vendor advisories
- Physically inspect devices if remote audit indicates potential tampering
- Test system functionality after remediation to verify no disruption to operations
- Train building management staff on KNX security risks and indicators of compromise
CISA KEV Context
CISA's addition of CVE-2023-4346 to the Known Exploited Vulnerabilities catalog on July 15, 2026 indicates this vulnerability has been actively exploited in real-world attacks against operational technology environments. Federal agencies are required to remediate KEV-listed vulnerabilities within CISA's mandated timeframe. Organizations operating KNX-based building automation systems should treat this as an urgent operational risk regardless of sector.