KNX Connection Authorization Option 1 CVE-2023-4346 actively exploited vulnerability: actively exploited vulnerability added to CISA KEV

Confirmed
Discovered Jul 15, 2026

CISA added CVE-2023-4346 affecting KNX Protocol Connection Authorization Option 1 to the Known Exploited Vulnerabilities catalog on 2026-07-15. This post scopes exposure, affected/fixed evidence, and IR handling without treating advisory sites as IOCs.

2
Affected Packages
3
Observables
2
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
knx-connection-authorization-option-1, fixed:
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
KNX Association
CVE-2023-4346
KNX Protocol Connection Authorization Option 1

Analysis

Executive Summary

CISA added CVE-2023-4346 for KNX Protocol Connection Authorization Option 1 to the Known Exploited Vulnerabilities catalog on 2026-07-15, which is the active-exploitation gate for this Halting Problems entry [1]. CISA describes an attacker with network or physical access can purge devices without additional security options enabled and set a BCU key that locks devices [1]. NVD records the affected product metadata and severity summarized below [3].

This entry is evidence-conservative. The reviewed sources provide active-exploitation status, product identity, affected-version or mitigation evidence, and vulnerability metadata, but they do not publish attacker-controlled infrastructure, file hashes, victim counts, or a campaign name. Source and advisory URLs are therefore kept as source selectors rather than IOC values.

Key Facts

CVE: CVE-2023-4346

Vendor: KNX Association

Product / Component: KNX Protocol Connection Authorization Option 1 (Connection Authorization Option 1 / BCU key handling)

KEV Added: 2026-07-15

KEV Due Date: 2026-07-29

Affected / Fixed or Mitigation Selectors:

  • knx-connection-authorization-option-1 affected implementation / version 0 selector
  • fixed: enable vendor-recommended KNX security options such as KNX IP Secure/Data Secure or remove exposed vulnerable configuration; no public semver fixed release identified

CVSS: 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Evidence Assessment

Analysis table
ClaimStatusEvidence
CISA lists CVE-2023-4346 as exploited in the wild for KNX Protocol Connection Authorization Option 1.confirmedCISA KEV records date added 2026-07-15 and an active-exploitation-driven required action [1].
Direct or enrichment sources describe product identity and affected scope.confirmedVendor/government and NVD references identify KNX Protocol Connection Authorization Option 1 and the affected scope summarized above [2][3].
Public sources identify attacker infrastructure, hashes, or campaign attribution.not_observedCISA KEV, NVD, and linked references reviewed during this run do not publish those IOC classes.

Impact Determination

Treat exposed or business-critical KNX Protocol Connection Authorization Option 1 deployments as high-priority until version, configuration, and mitigation evidence are captured. Because CISA added this item to KEV, defenders should prioritize exploitation triage rather than only patch compliance. Preserve logs and configuration state before remediation so exploitation success, persistence, and credential/session exposure can be assessed.

Detection and Hunting

The reviewed hunt manifest ships with scripts/scope_knx-protocol-cve-2023-4346-kev.py. It scans asset inventories and exported logs for CVE-2023-4346, KNX Association, KNX Protocol Connection Authorization Option 1, affected/fixed selectors, source selectors, and product-specific telemetry phrases from the reviewed sources. Use it against CMDB exports, scanner exports, EDR file/log bundles, web/access logs, gateway logs, application logs, and incident evidence collected in a forensics-safe workspace.

Positive findings are scope signals, not proof of compromise. Escalate to product-specific IR by preserving UTC timelines, snapshots or hashes of relevant configs and logs, evidence owner, collection time, and chain-of-custody notes.

Remediation and Recovery Gates

  1. Inventory KNX installations that expose KNX interfaces to routable networks or untrusted physical access and identify devices using Connection Authorization Option 1.
  2. Enable KNX IP Secure, KNX Data Secure, or vendor-recommended additional security options where supported; otherwise isolate management interfaces and document compensating controls.
  3. Review gateway/router logs, ETS project history, commissioning records, and device state snapshots for unexpected purge/reset/BCU-key changes.
  4. Preserve controller/gateway configuration exports, ETS project backups, device serial/address maps, and operator notes with UTC collection times.
  5. If device lockout or purge is observed, rebuild from trusted ETS backups, rotate site/commissioning secrets where supported, and monitor for recurring unauthorized bus-management activity.

Indicators of Compromise

No attacker-controlled domains, URLs, hashes, or IP addresses were published by the sources reviewed for this entry. Machine-readable IOC fields are intentionally empty for those classes.

Open Questions

  • Which exploitation clusters are using CVE-2023-4346 in the wild?
  • Did vendor or researcher sources publish additional product-specific exploit telemetry after this automated refresh?
  • Are there environment-specific fixed build identifiers beyond the affected/fixed selectors recorded here?

Timeline

6 of 6 rows

Timeline
DateEventDescriptionSource
Jul 15, 2026DisclosureDisclosure recorded for KNX Connection Authorization Option 1 CVE-2023-4346 actively exploited vulnerability.cisa.gov
Jul 15, 2026DiscoveryDiscovery recorded for KNX Connection Authorization Option 1 CVE-2023-4346 actively exploited vulnerability.cisa.gov
Jul 29, 2026kev due datekev due date recorded for KNX Connection Authorization Option 1 CVE-2023-4346 actively exploited vulnerability.cisa.gov
Jul 15, 2026First seenFirst seen recorded for KNX Connection Authorization Option 1 CVE-2023-4346 actively exploited vulnerability.cisa.gov
Jul 15, 2026Patch or fixPatch or fix recorded for KNX Connection Authorization Option 1 CVE-2023-4346 actively exploited vulnerability.cisa.gov
Jul 15, 2026KNX Connection Authorization Option 1 CVE-2023-4346 actively exploited vulnerability: actively exploited vulnerability added to CISA KEVUnknowncisa.gov

Affected Software

2 of 2 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
knx-connection-authorization-option-1enterprise-softwareaffected implementation / version 0 selectorMalicious90%cisa.gov; nvd.nist.gov
fixed:enterprise-softwareenable vendor-recommended KNX security options such as KNX IP Secure/Data Secure or remove exposed vulnerable configuration; no public semver fixed release identifiedMalicious90%cisa.gov; nvd.nist.gov

IOC Clipboard

3 IOCs
commandKNX Association
commandCVE-2023-4346
commandKNX Protocol Connection Authorization Option 1

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
KNX CVE-2023-4346 asset and telemetry scopePythonDo inventories/logs contain CVE-2023-4346, KNX Association, KNX Protocol Connection Authorization Option 1, affected-version, mitigation, or telemetry selectors?scripts/scope_knx-protocol-cve-2023-4346-kev.py opens in a new tabcisa.gov

Hunt Manifest: KNX CVE-2023-4346 asset and telemetry scope

Title
KNX CVE-2023-4346 asset and telemetry scope
Question
Do inventories/logs contain CVE-2023-4346, KNX Association, KNX Protocol Connection Authorization Option 1, affected-version, mitigation, or telemetry selectors?
Telemetry Family
Python
Repository
scripts/scope_knx-protocol-cve-2023-4346-kev.py
Show tested hunting scriptscripts/scope_knx-protocol-cve-2023-4346-kev.py
scripts/scope_knx-protocol-cve-2023-4346-kev.py opens in a new tabPython
#!/usr/bin/env python3
"""Scope KNX CVE-2023-4346 exposure from local inventories and exported logs."""
from __future__ import annotations
import json, os, sys
from pathlib import Path
CVE_IDS=['CVE-2023-4346']
VENDOR='KNX Association'
PRODUCT='KNX Protocol Connection Authorization Option 1'
AFFECTED_VERSION_SELECTORS=['knx-connection-authorization-option-1 affected implementation / version 0 selector']
FIXED_OR_MITIGATION_SELECTORS=['fixed: enable vendor-recommended KNX security options such as KNX IP Secure/Data Secure or remove exposed vulnerable configuration; no public semver fixed release identified']
SOURCE_SELECTORS=['https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json', 'https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-01', 'https://nvd.nist.gov/vuln/detail/CVE-2023-4346', 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4346']
DOMAINS=[]; HASHES=[]; URLS=[]; FILES=[]; NETWORK_PATTERNS=[]
PROCESS_PATTERNS=['KNX Protocol Connection Authorization Option 1', 'KNX Association', 'CVE-2023-4346']
PRODUCT_TELEMETRY_PATTERNS=['KNX', 'Connection Authorization Option 1', 'BCU key', 'purge all devices', 'KNX IP Secure', 'KNX Data Secure', 'CVE-2023-4346', 'device lockout', 'ETS project']
INDICATORS=list(dict.fromkeys(CVE_IDS+[VENDOR,PRODUCT]+AFFECTED_VERSION_SELECTORS+FIXED_OR_MITIGATION_SELECTORS+SOURCE_SELECTORS+PRODUCT_TELEMETRY_PATTERNS))
OUT=os.environ.get('OUT','hp-knx-protocol-cve-2023-4346-kev-scope')
TEXT_SUFFIXES={'.csv','.json','.jsonl','.txt','.log','.yaml','.yml','.xml','.conf','.ini','.md'}
EXCLUDED_DIR_NAMES={'.git','node_modules','vendor','dist','__pycache__','.venv'}
def read_text(path: Path)->str:
    try: return path.read_text(encoding='utf-8', errors='ignore')
    except Exception: return ''
def iter_files(root: Path):
    if root.is_file(): yield root; return
    for p in root.rglob('*'):
        if p.is_file() and not any(part in EXCLUDED_DIR_NAMES for part in p.parts):
            if not p.suffix or p.suffix.lower() in TEXT_SUFFIXES: yield p
def scan(root: Path):
    matches=[]; lowered=[s.lower() for s in INDICATORS if s]
    for path in iter_files(root):
        low=read_text(path).lower(); hits=sorted({INDICATORS[i] for i,s in enumerate(lowered) if s in low})
        if hits: matches.append({'path':str(path),'hits':hits})
    return matches
def main(argv=None):
    argv=argv or sys.argv[1:]; root=Path(argv[0]) if argv else Path('.')
    matches=scan(root); out_dir=Path(OUT); out_dir.mkdir(parents=True, exist_ok=True)
    report={'cves':CVE_IDS,'vendor':VENDOR,'product':PRODUCT,'affected_version_selectors':AFFECTED_VERSION_SELECTORS,'fixed_or_mitigation_selectors':FIXED_OR_MITIGATION_SELECTORS,'match_count':len(matches),'matches':matches}
    (out_dir/'scope_report.json').write_text(json.dumps(report,indent=2),encoding='utf-8')
    print(json.dumps({'cves':CVE_IDS,'match_count':len(matches),'report':str(out_dir/'scope_report.json')},indent=2))
    return 2 if matches else 0
if __name__=='__main__': raise SystemExit(main())

Provenance & Sources

2 of 2 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
cisa.govSecurity Researcher95%3CISA added CVE-2023-4346 affecting KNX Protocol Connection Authorization Option 1 to the Known Exploited Vulnerabilities catalog on 2026-07-15. This post scopes exposure, affected/fixed evidence, and IR handling without treating advisory sites as IOCs.
nvd.nist.govSecurity Researcher95%1CISA added CVE-2023-4346 affecting KNX Protocol Connection Authorization Option 1 to the Known Exploited Vulnerabilities catalog on 2026-07-15. This post scopes exposure, affected/fixed evidence, and IR handling without treating advisory sites as IOCs.