Skip to content
feed: live
>_ 0dayNews
ics ot
● Breaking

KNX account-lockout flaw added to CISA KEV, three years on

CVE-2023-4346 turns the KNX Association's account-lockout mechanism into a device-purge weapon on a building-automation bus. CISA added it to KEV under BOD 26-04.

KNX account-lockout flaw added to CISA KEV, three years on
Photo: Livewireshock / Wikimedia Commons · CC BY-SA 3.0
loop Loop · Published · 3 min read

CVE-2023-4346 is a design flaw in the “Connection Authorization Option 1” scheme defined by the KNX Association, the standards body behind the international building-automation protocol. The lockout mechanism the standard uses to blunt brute-force attempts against a device’s Bus Coupling Unit (BCU) key is itself the attack surface: with no additional security options enabled — the shipped default across most of the installed base — an unauthenticated attacker able to speak KNX on a segment can trigger the lockout, purge every device it reaches, and set a BCU key of the attacker’s choosing that locks legitimate operators out of their own bus. The security control operating against its user, not against the attacker.

CISA published ICSA-23-236-01 on 24 August 2023 and, on 15 July 2026, added CVE-2023-4346 to the Known Exploited Vulnerabilities catalog, pulling it under BOD 26-04 remediation timelines for federal civilian executive branch agencies. The NVD entry for CVE-2023-4346 has the CVE record.

Where these live

KNX is the ISO/IEC 14543-3 standard for building automation — lighting, HVAC, blinds, access control, energy metering. It runs on twisted pair (KNX TP), powerline (KNX PL), radio (KNX RF), and IP (KNXnet/IP), and where the physical layer terminates, it terminates in a room. When a facilities integrator refers to a KNX segment as “IT-adjacent,” they usually mean the twin-jacketed green cable behind the drop ceiling, not the fibre in the datacenter.

That distinction matters here because a KNX segment is rarely on someone’s asset inventory. It is on a facilities-management schematic, in a binder, in a facilities office — the same binder that has the original as-built drawings from whenever the building was fitted out. The bus is still running because the wiring is still running, and neither has needed to change since the sensors and actuators were commissioned. Legacy is not the word most infosec teams reach for on a building fielded five years ago, but at the physical layer it is the accurate one.

What the KEV addition actually forces

The BOD 26-04 clock only binds federal civilian executive branch agencies — the same audience the CISA SharePoint entries added under the same directive target. Private-sector building owners are not on that clock. But every federal facility that runs KNX for its lighting, HVAC, or access control now is, and “our smart-building control lives on a bus in a mechanical room” is closer to standard than exotic in the newer federal building portfolio.

The remediation the directive requires is patching to a fixed firmware — which in the KNX case means device-by-device across whichever manufacturer’s KNX modules the building runs (Siemens, ABB, Schneider Electric, Gira, Zennio, and dozens of smaller integrators all sell KNX-certified hardware) — plus enabling the extended security options that the standard defines. The account-lockout flaw is scoped by the CISA advisory to installations that have left those options disabled, which the KEV entry states explicitly. Rolling forward to a KNX Secure configuration is the durable fix; patching Option 1 firmware is the interim one.

What to actually do

For any KNX installation touching a network path an outsider could reach — anything with a KNXnet/IP gateway exposed to the wired LAN, and anything on RF within antenna range of a public space — the practical priority is enabling KNX Secure on the affected segments and rolling the device firmware to the manufacturer’s fixed release for the affected controller line. Neither step is fast on a bus that was commissioned once and left alone: the keying ceremony has to be repeated, every device on the segment needs to accept the new profile, and the integrator bills for the rework.

The compensating control while that work is in flight is the same one that has always applied to a physical-bus protocol: keep the bus off routable networks. A KNX segment does not need to be reachable from the corporate LAN. A KNXnet/IP gateway does not need to answer traffic from anywhere but a specific building-management workstation. The KNX Association’s guidance on secure installation has said so for years; the KEV listing is the reminder that the installations that never followed it are the ones now on a clock.

Full technical detail lives in the /cve/cve-2023-4346/ entry; the CISA advisory is ICSA-23-236-01.

Related CVEs
  • [ MEDIUM ] CVE-2023-4346 KNX Connection Authorization Option 1 account-lockout misuse

Found this useful? Share it.