What is CVE-2023-4346?
KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way.
Timeline
- 2023-08-29Published to the U.S. National Vulnerability Database (NVD)
- 2026-07-15Added to the CISA Known Exploited Vulnerabilities (KEV) catalog
- 2026-07-15NVD record last updated
- 2026-07-29CISA federal remediation deadline (BOD 22-01)
CISA Known Exploited Vulnerability
KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability
Affected product
KNX Association KNX Protocol Connection Authorization Option 1
Remediation Steps
- Apply the vendor security update for KNX Association KNX Protocol Connection Authorization Option 1 as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References
Referenced in our briefings & reports
- Vulnerability Priority Report – Week 2 of July 2026 (July 13 – 19)
Browse all tracked CVEs in the defend.network CVE database →