A newly KEV-listed vulnerability in the KNX building-automation protocol allows unauthenticated attackers to lock devices and purge configurations, with CISA confirming active exploitation.
What Is It
CVE-2023-4346 is an overly restrictive account lockout mechanism vulnerability (CWE-645) in KNX Protocol Connection Authorization Option 1. KNX devices that use KNX Connection Authorization and support Option 1 can, depending on implementation, be locked such that users cannot reset them to regain access. The BCU key feature can set a device password, but that password often cannot be reset without entering the current password. An attacker who can reach the KNX installation over a network can interface with it, purge all devices that lack additional security options, and set a BCU key; locking the device. The same exploitation is possible for an attacker with physical access to a device even when it is not network-connected.
Why It Matters
CISA added CVE-2023-4346 to its Known Exploited Vulnerabilities catalog on 2026-07-15, and CISA's SSVC assessment marks exploitation status as active and automatable. The flaw carries a CVSS 3.1 base score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, network-reachable, low complexity, no privileges or user interaction required, with a high impact to availability. Successful exploitation denies access to affected building-automation devices.
What's Vulnerable
- Vendor/Product: KNX Association; KNX Protocol Connection Authorization Option 1
- Affected: All versions (version 0 and later flagged as affected; CPE
cpe:2.3:a:knx:connection_authorization) - Condition: Devices using KNX Connection Authorization that support Option 1, depending on implementation
Patch Status
CISA's required action is to apply mitigations in accordance with vendor instructions, in compliance with BOD 26-04 (Prioritizing Security Updates Based on Risk) and CISA's Forensics Triage Requirements. Follow applicable BOD 26-04 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The remediation due date is 2026-07-29. Known ransomware campaign use is listed as Unknown.