2026-07-16 · view entry permalink →
CVE-2023-4346 — KNX building-automation protocol: account-lockout DoS added to CISA KEV, no software patch (CVSS 7.5)
CISA added CVE-2023-4346 to its Known Exploited Vulnerabilities catalog on 15 July 2026, alongside the Oracle E-Business Suite flaw, and updated the underlying ICS advisory to carry a "known public exploitation" note (CISA ICSA-23-236-01, 2026-07-15; CISA KEV alert, 2026-07-15). The flaw itself is three years old — reported by Felix Eberstaller of Limes Security and published in August 2023 — and had no prior KEV listing until this update. KNX is a widely deployed European building-automation bus protocol (KNX Association is headquartered in Belgium) used for HVAC, lighting, access control and BMS integration, so the exposure sits under any large public-sector or critical-infrastructure estate with smart-building controls.
The design flaw (CWE-645, overly restrictive account-lockout mechanism, CVSS 7.5, availability-only) is in KNX Connection Authorization Option 1: any device that has never had its BCU (Bus Coupling Unit) key set can be purged by an attacker with network access to the KNX installation, who then sets a new BCU key and permanently locks legitimate operators out — with no reset path short of the current password (CISA ICSA-23-236-01, 2026-07-15). An attacker with only physical access to the bus can do the same. KNX Association has issued no software fix in three years; the remediation is entirely procedural — set the BCU key during commissioning.
Exploitable remotely/low attack complexity/known public exploitation
If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device.