A German building ran on its circuit breakers

In October 2021 a mid-sized site belonging to a German engineering company lost its light switches. Not the lights, the switches. Staff walked to the electrical cabinet and threw breakers by hand, because the building's own controls no longer answered. Shutter control was gone the same way. Several hundred KNX components sat in the walls and ceilings doing nothing at all, and three-quarters of them were non-operational.

Limes Security, the Austrian firm that documented the case, established what had happened. Attackers had reached the KNX bus over the internet, unloaded the devices, and then set the BCU key themselves. The key is the bus lock. Whoever sets it holds it. The owner did not hold it.

Every vendor the company contacted said the same thing: no reset is possible, the devices are bricked. Rip-and-replace was quoted at over EUR 100,000 in hardware alone. Limes Security eventually recovered the key by dumping CPU memory and constraining the brute-force space enough to make the search finish. The case is known as KNXlock, and no ransom was ever demanded.

What CISA actually did on 15 July

On 15 July 2026 CISA added CVE-2023-4346 to its Known Exploited Vulnerabilities catalog, published in catalog version 2026.07.16 at 17:00:15Z on 16 July. The remediation due date is 29 July 2026. That is a fourteen-day window. Other entries in the same July run were given three days.

The flaw sits in the KNX Association's KNX protocol, specifically Connection Authorization Option 1. It is classified CWE-645, an overly restrictive account lockout, and it carries CVSS 7.5 HIGH with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. That score is real rather than a vendor's own reading: NVD holds a Primary 7.5 from [email protected]. CISA records known ransomware campaign use as Unknown. The CVE was published on 29 August 2023 and last modified on 16 July 2026.

Nothing about the underlying problem is new, and the piece of writing that describes it is not new either. CISA advisory ICSA-23-236-01 is a 2023 document, reported by Felix Eberstaller of Limes Security. KNXlock is a 2021 incident. The only new fact is the KEV addition and the clock attached to it. What changed is enforcement, not the vulnerability.

There is no patch, and that is the point

No software update fixes this. CISA's advisory scopes the exposure as KNX devices using Connection Authorization Option 1 Style in which no BCU key is currently set, all versions. Read that carefully. The condition is not an old firmware build. The condition is an empty setting.

The remedy is to set the BCU key. That is a configuration action performed during commissioning, in the integrator's project file, on the physical bus. It does not arrive through a patch cycle. It cannot be pushed from a management console. It is not visible to the tooling that your security team already runs, because that tooling looks for versions and this is not a version problem.

The advisory's own metadata says the rest out loud. Countries and areas deployed: Europe. Company headquarters location: Belgium. Sector: Critical Manufacturing. A scan by Alpha Strike Labs, carried out in 2023, found more than 16,000 potentially vulnerable systems in the DACH area. That number is three years old and should be read as a 2023 snapshot, not as today's count.

Why it survived three years

The gap is organisational, not technical. Setting a BCU key belongs to whoever commissioned the building. That is an integrator or a facilities contractor, working from a project file, often several years ago, frequently under a contract that closed at handover. That person is not on your security team and in many cases no longer answers your calls.

So the finding lands in an IT queue where nobody owns the remedy. The security team can see the advisory and cannot act on it. The facilities team can act on it and never sees the advisory. Three years passed in that seam. MITRE added the technique to ATT&CK for ICS as T0892, Change Credential, in spring 2023, which put a name on the method without putting a name on the owner.

The loss model explains the neglect too. Most security budgets are built around a payout or a data-protection duty, and this failure mode has neither. Nobody asked the German company for money and no personal data moved. The attacker simply set the key, the vendors confirmed there was no way back, and the hardware bill still ran past EUR 100,000.

The deadline does not bind you, and the exposure still does

Be clear about scope. The 29 July 2026 date arises under CISA's Binding Operational Directive BOD 26-04 and it binds US federal civilian agencies. It does not legally bind a European owner. If your estate is in Frankfurt or Manchester, no American directive obliges you to do anything by that date.

The asymmetry is the story. The buildings are overwhelmingly European, the standard is European, its association sits in Belgium, and the binding deadline is American. In our reading the European hook is NIS2, not the CISA date, and we offer that as our reading rather than as law. NIS2 duties turn on your sector and your risk management obligations, and a building-automation bus reachable from the internet is a risk management fact whatever calendar you keep.

The action fits in one sentence and it does not go to IT. Ask your building integrator or facilities contractor two things: is the KNX bus reachable from the internet, and was a BCU key ever set at commissioning. If the answer to the second is no, or if nobody can find the project file to tell you, you are in the scope CISA described and you are one internet-reachable path away from the October 2021 outcome.