ctipilot.ch

KNX Connection Authorization Option 1 overly-restrictive account-lockout DoS (CVSS 7.5, CWE-645); CISA KEV 2026-07-15, no software patch (procedural mitigation)

cve · CVE-2023-4346 single-source-national-cert

Coverage timeline
1
first 2026-07-16 → last 2026-07-16
Peak priority
notable
1 notable
Sources cited
2
1 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
1
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
KNX Connection Authorization Option 1 devices (no BCU key set)

ATT&CK techniques

1 technique observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Impact TA0040

T1499Endpoint Denial of Service×1

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.

Evidence: 2026-07-16/cve-2023-4346-knx-building-automation-lockout-dos-kev · ATT&CK page ↗

Story timeline

  1. 2026-07-16CVE-2023-4346 — KNX building-automation protocol: account-lockout DoS added to CISA KEV, no software patch (CVSS 7.5)
    trending-vulnerabilitiesA three-year-old KNX Connection Authorization lockout flaw joins CISA KEV as actively exploited — the fix is procedural, not a patch

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • cisa.gov2 (100%)

explore in graph

Entries about KNX Connection Authorization Option 1 overly-restrictive account-lockout DoS (CVSS 7.5, CWE-645); CISA KEV 2026-07-15, no software patch (procedural mitigation) (1)

2026-07-16 · view entry permalink →

NOTABLECVE-2023-4346exploitedNATOA2

CVE-2023-4346 — KNX building-automation protocol: account-lockout DoS added to CISA KEV, no software patch (CVSS 7.5)

CISA added CVE-2023-4346 to its Known Exploited Vulnerabilities catalog on 15 July 2026, alongside the Oracle E-Business Suite flaw, and updated the underlying ICS advisory to carry a "known public exploitation" note (CISA ICSA-23-236-01, 2026-07-15; CISA KEV alert, 2026-07-15). The flaw itself is three years old — reported by Felix Eberstaller of Limes Security and published in August 2023 — and had no prior KEV listing until this update. KNX is a widely deployed European building-automation bus protocol (KNX Association is headquartered in Belgium) used for HVAC, lighting, access control and BMS integration, so the exposure sits under any large public-sector or critical-infrastructure estate with smart-building controls.

The design flaw (CWE-645, overly restrictive account-lockout mechanism, CVSS 7.5, availability-only) is in KNX Connection Authorization Option 1: any device that has never had its BCU (Bus Coupling Unit) key set can be purged by an attacker with network access to the KNX installation, who then sets a new BCU key and permanently locks legitimate operators out — with no reset path short of the current password (CISA ICSA-23-236-01, 2026-07-15). An attacker with only physical access to the bus can do the same. KNX Association has issued no software fix in three years; the remediation is entirely procedural — set the BCU key during commissioning.

Exploitable remotely/low attack complexity/known public exploitation

If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device.

CISA (ICS Advisory ICSA-23-236-01) 2026-07-15
vulnerability16 Jul 04:36Zsingle-source · national CERTOpen finding ↗