SYS::ONLINE
Wasteland.
Briefs1211
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2023-4346 2026-07-15

CVE-2023-4346: KNX Account Lockout Flaw Lets Attackers Brick Building Automation Devices

"A newly KEV-listed vulnerability in the KNX building-automation protocol allows unauthenticated attackers to lock devices and purge configurations, with CISA confirming active exploitation."

A newly KEV-listed vulnerability in the KNX building-automation protocol allows unauthenticated attackers to lock devices and purge configurations, with CISA confirming active exploitation.

What Is It

CVE-2023-4346 is an overly restrictive account lockout mechanism vulnerability (CWE-645) in KNX Protocol Connection Authorization Option 1. KNX devices that use KNX Connection Authorization and support Option 1 can, depending on implementation, be locked such that users cannot reset them to regain access. The BCU key feature can set a device password, but that password often cannot be reset without entering the current password. An attacker who can reach the KNX installation over a network can interface with it, purge all devices that lack additional security options, and set a BCU key; locking the device. The same exploitation is possible for an attacker with physical access to a device even when it is not network-connected.

Why It Matters

CISA added CVE-2023-4346 to its Known Exploited Vulnerabilities catalog on 2026-07-15, and CISA's SSVC assessment marks exploitation status as active and automatable. The flaw carries a CVSS 3.1 base score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, network-reachable, low complexity, no privileges or user interaction required, with a high impact to availability. Successful exploitation denies access to affected building-automation devices.

What's Vulnerable

Patch Status

CISA's required action is to apply mitigations in accordance with vendor instructions, in compliance with BOD 26-04 (Prioritizing Security Updates Based on Risk) and CISA's Forensics Triage Requirements. Follow applicable BOD 26-04 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The remediation due date is 2026-07-29. Known ransomware campaign use is listed as Unknown.

Sources