Skip to main content
CVE-2023-4346 High No Patch

CVE-2023-4346: KNX Protocol — BCU Key Lockout Enables Permanent Building Automation Denial of Service

CVE Details

CVE ID CVE-2023-4346
CVSS Score 7.5
Severity High
Vendor KNX Association
Product KNX Protocol
Patch Status Not Available
Published July 16, 2026
EPSS Score 0.9%
CISA Patch Deadline July 29, 2026

Background

KNX is the dominant open standard for building automation and control in commercial and residential installations across Europe and internationally. It manages HVAC, lighting, access control, blinds, energy metering, and safety systems in buildings ranging from single-family homes to large commercial and industrial facilities. KNX devices communicate over a shared bus network using a standardized protocol, with configuration stored locally on each device.

CVE-2023-4346 describes a fundamental weakness in the KNX protocol’s authentication and device management model. The Bus Coupling Unit (BCU) key is a protection mechanism that prevents unauthorized reprogramming of KNX devices. Paradoxically, the same mechanism can be exploited to permanently prevent legitimate administrators from reconfiguring or recovering devices — causing irreversible denial of service at the device level that requires physical replacement to resolve.

The CVSS 3.1 base score is 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). CISA added this vulnerability to the Known Exploited Vulnerabilities catalog with a July 29, 2026 remediation deadline. Although the CVE was originally assigned in 2023, active exploitation observed in 2026 prompted the KEV listing.

Technical Mechanism

KNX devices store their application programs and configuration in device memory. The KNX programming model allows any device on the KNX bus — or over KNXnet/IP tunneling across IP networks — to send management telegrams to any other device, including telegrams that erase device memory or reprogram device applications.

The BCU key is the KNX protection mechanism intended to prevent unauthorized device access. When set, a device requires the correct BCU key before it will accept programming or management commands. The vulnerability arises from two compounding weaknesses:

Step 1 — Unauthenticated configuration erasure (CWE-306): KNX devices accept memory write and program download commands from any source on the bus without requiring authentication or a BCU key. This allows an unauthenticated attacker to erase a device’s entire application program and configuration — leaving it in a factory-reset state but still programmable.

Step 2 — BCU key injection: After erasing the application (which also clears any previously configured BCU key), the attacker can send a BCU key set command with an arbitrary key value the attacker controls. The device accepts this command since it is no longer protected.

Result — Permanent lockout: The device is now locked with a BCU key known only to the attacker. The legitimate building automation administrator cannot reprogram, reconfigure, or recover the device. KNX’s BCU key recovery mechanism requires physical access to the device’s programming button in many device classes, but some devices have no key recovery mechanism beyond factory reset procedures that may themselves be blocked by the unknown BCU key — requiring physical device replacement.

The attack can target any KNX device reachable on the bus or through KNXnet/IP tunneling. An IP-connected KNX installation exposes all bus devices to network-reachable attack without requiring physical access to the bus wiring.

Real-World Exploitation Evidence

CISA’s 2026 KEV listing confirms active exploitation of this vulnerability. The gap between the original 2023 CVE assignment and the 2026 exploitation listing reflects a pattern seen in ICS/OT vulnerabilities: research publications and proof-of-concept demonstrations create attacker awareness years before operationalized exploitation appears in the wild.

The attack is particularly attractive to actors targeting building automation systems in critical facilities — hospitals, data centers, government buildings, and industrial sites — where HVAC and access control disruption carries operational impact beyond a conventional IT outage. Facilities dependent on precision environmental controls for data center cooling, pharmaceutical cold chains, or clinical environments face heightened risk.

Building automation systems also tend to have long device lifecycles and infrequent security patching. KNX deployments installed before the BCU key vulnerability was widely understood may lack any BCU key protection on individual devices, leaving them fully open to step 2 of the attack directly.

Impact Assessment

  • Permanent denial of service for affected KNX devices — configuration erasure followed by BCU key lockout prevents any legitimate reprogramming
  • Loss of building automation function: HVAC, lighting, access control, and safety systems may cease normal operation
  • Physical device replacement required in cases where BCU key recovery is not possible
  • Potential cascading impact in environments where HVAC failure affects temperature-critical infrastructure (data centers, cold chain storage, clinical environments)
  • In IP-connected KNX deployments, all bus devices are potentially reachable without physical bus access
  • No vendor patch applicable to the core protocol weakness — mitigations are architectural and operational

Affected Versions

ProductAffectedNotes
All KNX-certified devices supporting BCU key managementProtocol-level vulnerabilityAffects KNX TP, KNX IP, KNX RF device classes
KNX TP (Twisted Pair) bus devicesAllPhysical bus access required unless IP-connected
KNX IP devices and KNXnet/IP tunneling endpointsAllNetwork-reachable attack vector
KNX RF (Radio Frequency) devicesAllRF range-dependent attack vector

The vulnerability is in the KNX protocol specification itself, not in a specific firmware version. All conformant KNX devices are affected. There is no patched version of the protocol or firmware that resolves the underlying weakness.

Remediation Steps

There is no patch for this vulnerability — it is a protocol design issue. Mitigations are architectural and operational:

  1. Segment KNX IP networks from corporate and internet-accessible networks using dedicated VLANs and firewall rules. KNXnet/IP traffic (UDP port 3671) should not be accessible from untrusted network segments.

  2. Set BCU keys on all KNX devices before attackers can do so. If devices do not currently have a BCU key configured, apply one using ETS (Engineering Tool Software) and record the key securely. A protected device requires the correct key to accept programming commands:

    • In ETS, navigate to each device’s properties
    • Set BCU protection under the Device Properties or Security section
    • Document and store BCU keys in your building management system credential vault
  3. Disable KNXnet/IP tunneling on IP routers/gateways unless IP-based programming access is operationally required. If KNXnet/IP is required, restrict it to specific management workstation IP addresses using access control lists on the KNX IP gateway.

  4. Use KNX Secure (KNX Data Security and KNX IP Secure), introduced in the KNX specification to address authentication weaknesses. KNX Secure requires devices to support the secure extensions and a corresponding ETS configuration. This requires hardware that supports KNX Secure — older devices do not and cannot be upgraded.

  5. Implement network monitoring on the KNX IP segment to alert on unexpected management telegrams or connections from unauthorized endpoints.

  6. Audit current BCU key status across all KNX devices in your installation using ETS. Devices in factory-reset state or without BCU key protection are immediately vulnerable.

Detection Guidance

Network Traffic Monitoring

On KNX IP installations, monitor for KNXnet/IP tunneling connections (UDP/TCP port 3671) from unexpected source addresses:

  • Baseline legitimate KNXnet/IP sources (ETS programming workstations, supervision systems)
  • Alert on connections from any source not in the allowlist
  • Monitor for unusually high volume of management/programming telegrams, which may indicate a sweep-and-lock attack against multiple devices

KNX Bus Telegram Monitoring

In installations with a KNX IP gateway or logging system:

  • Monitor for memory write telegrams (APCI MemoryWrite) sent to device groups outside scheduled maintenance windows
  • Monitor for BCU key set commands (DeviceDescriptor_Write, UserMemory_Write to protection key addresses)
  • Alert on any device entering factory-reset programming mode (indicated by acknowledgment telegrams in response to programming unlock sequences)

Operational Indicators

  • Devices ceasing normal operation without a maintenance event or fault in device logs
  • ETS unable to connect to or program devices that were previously accessible (may indicate BCU key lockout)
  • Building management system reporting loss of communication with previously healthy device addresses
  • Unexpected changes in device behavior (outputs stuck, group communication not responding)

Timeline

DateEvent
2023CVE-2023-4346 assigned; vulnerability reported to KNX Association
2023-2025Security research publications and conference presentations describe KNX BCU key attack patterns
2026-07Active exploitation observed; CISA adds CVE-2023-4346 to Known Exploited Vulnerabilities catalog
2026-07-29CISA BOD 26-04 remediation deadline for federal agencies

References