CVE-2023-4346
KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability
- 대응 우선순위
- 최우선
- CVSS
- 7.5
- EPSS
- - 백분위 -
- CISA KEV
- 등록
- 조치 기한
- 2026.07.29
- 공개일
- 2023.08.30
CISA KEV에 등록된 실제 악용 확인 취약점
KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking...
제품 KNX Association KNX Protocol Connection Authorization Option 1, connection authorization
영향 버전 KNX Association KNX Protocol Connection Authorization Option 1, connection authorization · 영향 버전은 공급사 공식자료 확인 필요
수정 버전 KNX Association KNX Protocol Connection Authorization Option 1, connection authorization · 수정 버전은 공급사 공식자료 확인 필요
영향 여부, 우선 대응, 정식 해결과 결과 확인 절차를 요약합니다.
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
조치 기한: 2026.07.29KNX Association KNX Protocol Connection Authorization Option 1, connection authorization의 현재 전체 버전이 공식 영향 범위(KNX Association KNX Protocol Connection Authorization Option 1, connection authorization · 영향 버전은 공급사 공식자료 확인 필요)에 포함되는지 확인합니다. OS를 선택하면 해당 OS의 제품·패키지·KB·APAR 확인 명령만 표시됩니다.
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
패치 후 같은 명령으로 전체 버전을 다시 확인해 KNX Association KNX Protocol Connection Authorization Option 1, connection authorization · 수정 버전은 공급사 공식자료 확인 필요 기준을 충족하는지 확인합니다. 이어서 유형 미확정 관련 오류·공격 흔적이 새로 발생하지 않는지 확인합니다.
CVSS 벡터 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE CWE-645
KEV 등록일 2026.07.15
랜섬웨어 캠페인 사용 미확인
CISA 비고 https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-01 ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2023-4346