>samit_hota
Back to advisories
SH-2026-121HighOpen

Advisory: Critical KNX Protocol Lockout Vulnerability (CVE-2023-4346)

Samit Hota·
CVE ID
CVE-2023-4346
CVSS Score
7.5
Affected Products
KNX Association KNX Protocol Connection Authorization Option 1
#kev#knx-association

Overview

Today, we’re highlighting CVE-2023-4346, a high-severity vulnerability impacting the KNX Protocol Connection Authorization Option 1. This flaw, with a CVSS score of 7.5, presents a significant risk to unpatched KNX installations, particularly those without additional security measures. The core issue lies within an overly restrictive account lockout mechanism, which, under specific conditions, can be leveraged by an attacker to effectively purge and lock down KNX devices by setting a new Bus Coupling Unit (BCU) key. This vulnerability has serious implications for the availability and integrity of KNX-based systems, which are widely deployed in building automation, smart homes, and industrial control environments.

Technical Details

The vulnerability specifically targets the Connection Authorization Option 1 within the KNX protocol. This option is intended to provide a layer of access control, but its implementation of account lockout is problematic. An attacker can exploit this by repeatedly failing authentication attempts. Instead of merely locking out a specific, compromised account or IP address for a temporary period, the mechanism can lead to a more severe outcome. In configurations where additional security options are not enabled, a successful exploitation allows an attacker to initiate a device purge. This means the device’s configuration and programming can be wiped. More critically, the attacker can then set a new BCU key, effectively locking legitimate administrators and users out of their own devices and the wider KNX installation. This creates a denial-of-service condition and potentially allows for persistent unauthorized control or disruption. The attack vector is typically network-based, targeting devices directly exposed or accessible within the local network. This is particularly concerning given the prevalence of KNX in environments that may lack robust network segmentation.

Real-World Impact

While concrete evidence of widespread exploitation in the wild for CVE-2023-4346 specifically is not broadly published, the implications of this vulnerability are severe, especially for critical infrastructure, commercial buildings, and high-value residential properties. KNX systems are the backbone for controlling lighting, heating, ventilation, air conditioning, security, and access control. A successful attack could lead to significant operational disruptions, loss of environmental control, and potential security breaches. For instance, in a commercial building, an attacker could disable HVAC systems, disrupt lighting schedules, or lock occupants out of specific areas. In an industrial context, the manipulation or disabling of control systems could have safety and production ramifications. The lack of readily available information on specific incidents shouldn’t be mistaken for a lack of risk; often, incidents involving building automation systems go unreported publicly or are handled discreetly due to their sensitive nature.

Organizations leveraging KNX should consider the potential for both targeted attacks and opportunistic scanning, as the protocol’s widespread use makes it an attractive target for malicious actors looking to cause disruption or gain unauthorized access to physical environments. The fact that an attacker can set a BCU key to lock the device means that recovery could be complex and time-consuming, potentially requiring physical access to devices and significant reconfiguration efforts.

Threat Landscape

Given the nature of KNX systems, the primary threat actors leveraging such vulnerabilities are likely to fall into a few categories. Nation-state actors or highly sophisticated criminal organizations might target critical infrastructure or high-profile commercial facilities for espionage, sabotage, or to extort ransoms. Their goal would be to disrupt operations or gain persistent access to sensitive environments. Less sophisticated attackers, including financially motivated groups, might also use this vulnerability in broader ransomware campaigns or for denial-of-service attacks, aiming to extort payment for restoring control to legitimate users.

The relatively niche expertise required for deep exploitation of building automation protocols might limit the number of actors, but the increasing availability of open-source tools and detailed technical analyses lowers the bar over time. The “overly restrictive account lockout” class of vulnerabilities, while not always leading to full system compromise, consistently poses a significant threat to availability and integrity. As smart building technologies become more interconnected, vulnerabilities like CVE-2023-4346 become part of a larger attack surface that can be chained with other flaws to achieve more comprehensive control. Threat actors often scan for internet-exposed KNX interfaces, making proper network segmentation and perimeter security paramount.

Remediation

The immediate and most critical action is to apply mitigations in accordance with vendor instructions. While specific patches may vary, ensure your KNX systems comply with CISA’s BOD 26-04 “Prioritizing Security Updates Based on Risk” guidance, along with CISA’s “Forensics Triage Requirements.” For cloud services utilizing KNX components, follow applicable BOD 26-04 guidance. If vendor mitigations are unavailable, or if the product cannot be adequately secured, discontinuing its use should be seriously considered.

Beyond applying vendor-provided fixes, stakeholders must rigorously evaluate each asset’s internet exposure. KNX devices and their interfaces should never be directly exposed to the internet. Implement robust network segmentation to isolate building automation networks from enterprise IT networks and the internet. Use firewalls to restrict traffic to only necessary ports and trusted sources. Implement strong access controls and multi-factor authentication where possible. Regularly audit configurations to ensure that “additional security options” mentioned in the vulnerability description are enabled, if available, as these can act as critical defense-in-depth measures against this specific lockout mechanism flaw. Finally, maintain comprehensive backups of KNX device configurations to facilitate rapid recovery in the event of a successful attack. The due date for addressing this vulnerability is July 29, 2026, making timely action imperative.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call