CVE-2023-4346 — KNX building-automation protocol: account-lockout DoS added to CISA KEV, no software patch (CVSS 7.5)
CISA added CVE-2023-4346 to its Known Exploited Vulnerabilities catalog on 15 July 2026, alongside the Oracle E-Business Suite flaw, and updated the underlying ICS advisory to carry a "known public exploitation" note (CISA ICSA-23-236-01, 2026-07-15; CISA KEV alert, 2026-07-15). The flaw itself is three years old — reported by Felix Eberstaller of Limes Security and published in August 2023 — and had no prior KEV listing until this update. KNX is a widely deployed European building-automation bus protocol (KNX Association is headquartered in Belgium) used for HVAC, lighting, access control and BMS integration, so the exposure sits under any large public-sector or critical-infrastructure estate with smart-building controls.
The design flaw (CWE-645, overly restrictive account-lockout mechanism, CVSS 7.5, availability-only) is in KNX Connection Authorization Option 1: any device that has never had its BCU (Bus Coupling Unit) key set can be purged by an attacker with network access to the KNX installation, who then sets a new BCU key and permanently locks legitimate operators out — with no reset path short of the current password (CISA ICSA-23-236-01, 2026-07-15). An attacker with only physical access to the bus can do the same. KNX Association has issued no software fix in three years; the remediation is entirely procedural — set the BCU key during commissioning.
Exploitable remotely/low attack complexity/known public exploitation
If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device.
Defender actions
- Set the BCU key on every KNX Connection Authorization Option-1 device that lacks one (per the KNX Secure Checklist) and place IP-KNX routers/gateways behind a firewall, off any internet-reachable segment — there is no patch, so segmentation and commissioning hygiene are the only controls.
ATT&CK mapping
1 technique mapped from the cited reporting · MITRE ATT&CK v19.1
Impact TA0040
T1499Endpoint Denial of Service
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.