KNX Connection Authorization Option 1 account-lockout misuse
The account-lockout mechanism in the KNX Association's Connection Authorization Option 1 lets an unauthenticated attacker on a KNX segment purge devices and set a BCU key that locks legitimate operators out. Added to CISA KEV 2026-07-15.
- Vendor
- KNX Association
- Product
- KNX Protocol (Connection Authorization Option 1)
- CVSS
- N/A
- EPSS (exploit probability)
- N/A
- Status
- kev
- Published
CVE-2023-4346 is an overly restrictive account-lockout mechanism (CWE-645) in the KNX Association’s Connection Authorization Option 1 scheme, the basic security profile for the KNX building-automation bus. An attacker able to speak KNX on the same segment as target devices — reachable through a KNXnet/IP gateway on a routable network, a compromised building-management workstation, or RF proximity for KNX RF — can trigger the lockout on every device on the segment without any authentication, then set a Bus Coupling Unit (BCU) key of their choice that legitimate operators cannot easily reverse. The result is a persistent denial-of-service across a KNX installation: lights, HVAC, blinds, access control, or whichever subsystem the bus carries.
Enabling the extended security options provided by the KNX standard (Connection Authorization Option 2 and KNX Secure) mitigates the flaw; the CISA advisory scopes the impact specifically to installations that have left those options disabled, which remains the shipped default for the majority of installed KNX segments.
CISA published ICSA-23-236-01 on 24 August 2023 and added CVE-2023-4346 to the Known Exploited Vulnerabilities catalog on 15 July 2026, bringing it under BOD 26-04 remediation timelines for federal civilian executive branch agencies. The NVD entry carries the CVE record.
See the article KNX account-lockout flaw added to CISA KEV, three years on for the full write-up.
