Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1913+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2023-4346: KNX Protocol Connection Authorization Option 1 Account Lockout Vulnerability
CVE-2023-4346: KNX Protocol Connection Authorization Option 1 Account Lockout Vulnerability
SECURITYMEDIUMCVE-2023-4346

CVE-2023-4346: KNX Protocol Connection Authorization Option 1 Account Lockout Vulnerability

A vulnerability in KNX Association KNX Protocol Connection Authorization Option 1 allows an attacker to purge all devices without additional security options enabled and set a BCU key to lock the device. CISA added this flaw to the Known Exploited Vulnerabilities catalog on July 15, 2026.

Dylan H.

Security Team

July 15, 2026
7 min read

Affected Products

  • KNX Association KNX Protocol Connection Authorization Option 1

Executive Summary

CVE-2023-4346 is an overly restrictive account lockout mechanism vulnerability affecting the KNX Association KNX Protocol Connection Authorization Option 1. The flaw allows an attacker to purge all devices on a KNX installation where additional security options are not enabled, and to set a BCU (Bus Coupling Unit) key to permanently lock devices, effectively rendering building automation systems inoperable. CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on July 15, 2026, confirming active real-world exploitation.

KNX is the globally dominant standard for building automation and control networks — managing lighting, HVAC, access control, security systems, and energy management in commercial and residential buildings worldwide.


Vulnerability Overview

AttributeValue
CVE IDCVE-2023-4346
Affected ProductKNX Protocol Connection Authorization Option 1
VendorKNX Association
Vulnerability TypeOverly Restrictive Account Lockout Mechanism
Attack PrerequisiteAdditional security options NOT enabled
CISA KEV StatusAdded 2026-07-15
CWECWE-645: Overly Restrictive Account Lockout Mechanism

Affected Products

ProductComponentNotes
KNX ProtocolConnection Authorization Option 1Affected when additional security options are not enabled

This vulnerability specifically applies to KNX devices and installations that rely on Connection Authorization Option 1 without deploying additional security configurations. Installations using the newer KNX IP Secure or KNX Data Secure extensions may have additional protections in place.


Technical Analysis

What is KNX?

KNX is an open standard for commercial and residential building automation — the backbone of intelligent building control systems worldwide. It is used to control:

  • Lighting and blinds/shading
  • HVAC (heating, ventilation, air conditioning)
  • Access control and alarm systems
  • Energy management and metering
  • Audio/visual and intercom systems

KNX runs over various physical layers (twisted pair, IP, powerline, RF) and is deployed in millions of commercial buildings, data centers, hospitals, airports, and smart homes globally.

The Vulnerability

Connection Authorization Option 1 in KNX provides a basic access control mechanism using a BCU key (a 4-byte password protecting the device programming interface). The vulnerability arises from a design weakness in how the protocol handles the BCU key protection:

  • An attacker with access to the KNX bus (physical or IP) can exploit the overly restrictive lockout mechanism
  • By sending specially crafted connection authorization requests, the attacker can purge all device configurations on unprotected devices
  • More critically, the attacker can overwrite the BCU key — setting an attacker-controlled key that prevents legitimate administrators from accessing or reprogramming the affected devices

Once the BCU key is overwritten, the devices remain functional but cannot be reconfigured without knowing the new key, which the attacker controls. In the worst case, devices can be locked out permanently if the BCU key is set to a value the attacker does not disclose.

Attack Flow

1. Attacker gains access to the KNX bus network
   (physical TP bus access, IP tunnel, or KNXnet/IP gateway)
2. Attacker identifies target devices using standard ETS discovery
3. Attacker sends crafted Connection Authorization requests
4. Devices without additional security options accept the manipulated requests
5. Attacker purges device application programs and group address tables
6. Attacker sets new BCU key value — original administrators locked out
7. Devices remain powered but uncontrollable without attacker's key

Why This Is Especially Dangerous in OT/Building Automation

Unlike traditional IT systems, building automation devices:

  • Run continuously — taking them offline for remediation disrupts business operations
  • Are widely networked — a single KNX IP gateway can expose hundreds of bus devices
  • Are difficult to audit — building managers often lack visibility into device states
  • Have long replacement cycles — hardware is typically not replaced for 10–20 years
  • Lack security monitoring — building automation systems rarely have EDR or SIEM coverage

A successful attack could:

  • Disable HVAC in data centers or medical facilities, triggering thermal shutdowns
  • Lock out access control systems, trapping occupants or blocking emergency response
  • Cut lighting in critical operations environments
  • Disrupt energy management systems, causing uncontrolled power consumption

Impact Assessment

Impact AreaDescription
Device LockoutBCU key overwrite locks legitimate admins out of all affected devices
Configuration PurgeApplication programs and group addresses can be wiped from devices
Operational DisruptionBuilding systems (HVAC, lighting, access) become uncontrollable
Persistent Denial of ServiceWithout the new BCU key, recovery requires physical device reset
Physical Safety RiskCritical systems (medical, emergency lighting) may be affected

Immediate Remediation

Step 1: Enable Additional KNX Security Options

The primary mitigation is to configure KNX installations with the security extensions provided in modern KNX standards:

  • KNX IP Secure: Encrypts and authenticates KNX IP communication using TLS and AES-128
  • KNX Data Secure: Provides end-to-end encryption and authentication at the data link layer

These options are configurable via the ETS (Engineering Tool Software) programming environment.

Step 2: Audit BCU Key Usage

# In ETS (Engineering Tool Software):
# 1. Check all devices for BCU key protection status
# 2. Document current BCU key values for all critical devices
# 3. Verify BCU keys have not been unexpectedly changed
# 4. Set strong, unique BCU keys on all unprotected devices

Step 3: Restrict KNX Bus Access

# Network segmentation measures:
# - Isolate KNX IP gateways on dedicated VLANs
# - Block public access to KNXnet/IP ports (UDP 3671)
# - Restrict access to ETS programming interfaces
# - Implement access control lists for KNX IP connections
# - Consider IP-based firewalling between IT and OT networks

Step 4: Inventory and Assess Exposure

# Identify all KNX IP gateways and tunnels exposed to:
# - Corporate IT network
# - Internet (directly or via forwarding)
# - Wi-Fi networks accessible to visitors
# - Any network not exclusively under building management control

Detection Indicators

IndicatorDescription
Unexpected ETS programming connectionsUnauthorized ETS sessions from unknown IP addresses
BCU key changesDevice BCU keys changed without authorized programming session
Group address table erasureDevices reporting erased application programs
KNXnet/IP traffic from unknown sourcesUnexpected tunneling connections to KNX IP gateways
Device non-responsivenessDevices that were operational becoming unresponsive to bus commands

Post-Remediation Checklist

  1. Enable KNX IP Secure or KNX Data Secure on all applicable devices and gateways
  2. Audit all device BCU keys — verify they have not been altered
  3. Document and store BCU keys in a secure password management system
  4. Restrict KNXnet/IP gateway access to authorized management systems only
  5. Review ETS access logs for unauthorized programming connections
  6. Apply firmware updates for all KNX IP gateways — check vendor advisories
  7. Physically inspect devices if remote audit indicates potential tampering
  8. Test system functionality after remediation to verify no disruption to operations
  9. Train building management staff on KNX security risks and indicators of compromise

CISA KEV Context

CISA's addition of CVE-2023-4346 to the Known Exploited Vulnerabilities catalog on July 15, 2026 indicates this vulnerability has been actively exploited in real-world attacks against operational technology environments. Federal agencies are required to remediate KEV-listed vulnerabilities within CISA's mandated timeframe. Organizations operating KNX-based building automation systems should treat this as an urgent operational risk regardless of sector.


References

  • CISA KEV — CVE-2023-4346
  • NVD — CVE-2023-4346
  • KNX Association — Security Overview
  • KNX IP Secure Documentation
#CVE-2023-4346#KNX#IoT#Building Automation#Account Lockout#CISA KEV#Vulnerability

Related Articles

CVE-2008-4128: Cisco IOS Cross-Site Request Forgery Vulnerability

Cisco IOS 12.4 contains multiple CSRF vulnerabilities that allow remote attackers to execute arbitrary commands. The flaw has been added to the CISA Known Exploited Vulnerabilities catalog, signaling active exploitation.

3 min read

CVE-2026-48939: iCagenda Unrestricted File Upload Allows PHP Code Execution

A critical unrestricted file upload vulnerability in the iCagenda Joomla event calendar plugin allows unauthenticated attackers to upload arbitrary PHP...

3 min read

CVE-2026-56291: Balbooa Forms Unrestricted File Upload Enables Full RCE

A critical unauthenticated file upload vulnerability in Balbooa Forms for Joomla allows attackers to upload executable files and achieve full remote code...

3 min read
Back to all Security Alerts