U.S. CISA adds KNX Association KNX Protocol Connection Authorization Option 1 and Oracle flaws to its Known Exploited Vulnerabilities catalog


U.S. CISA adds KNX Association KNX Protocol Connection Authorization Option 1 and Oracle flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
July 17, 2026

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds KNX Association KNX Protocol Connection Authorization Option 1 and Oracle flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities (KEV) catalog.

The flaws added to the catalog are:

  • CVE-2023-4346 KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability
  • CVE-2026-46817 Oracle E-Business Suite Improper Privilege Management Vulnerability  

The vulnerability CVE-2023-4346 (CVSS score of 7.5) is an improper account lockout mechanism flaw affecting KNX devices that use KNX Connection Authorization Option 1. An attacker with access to the KNX network, or physical access to the device, can set a BCU key and lock the device, preventing legitimate users from resetting access. The issue can cause device availability loss and disrupt KNX installations.

KNX Connection Authorization Option 1 is a security mechanism in KNX building automation systems that controls access to devices by using a shared key (BCU key). It helps prevent unauthorized configuration changes, but weaker implementations can allow attackers to lock devices if they obtain network access.

The flaw CVE-2026-46817 affects Oracle Payments versions 12.2.3 through 12.2.15 and allows unauthenticated attackers to take over vulnerable systems over HTTP. Oracle fixed the issue in last month’s Critical Patch Update and urges customers to apply the patches immediately. In early July, Defused Cyber researchers warned that this vulnerability is being actively exploited.

Defused Cyber did not disclose technical details about the attacks that exploited the flaw or the motivation of the attackers.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to urgently fix the Oracle flaw by July 18, 2026, and address the KNX Association KNX Protocol Connection Authorization Option 1 flaw by July 29, 2026

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


After months of rumors and two keynote events in May 2026, Google has finally released Android 17, the stable version. It’s rolling out to eligible Pixel devices today, including models in the Pixel 6 lineup, all the way to the latest Pixel 10 series.

The stable build contains plenty of features showcased at The Android Show and Google I/O, but if you were hoping to get your hands on Gemini Intelligence, that will ship later this summer to “select advanced devices.” With that out of the way, here’s what Android 17 offers at launch.

So what’s actually new in Android 17?

The most immediately useful addition is Bubbles, a feature that lets you access a select number of apps in the form of a floating window over another app or a circular app icon on the screen when minimized. 

You can access the feature by long-pressing an app icon and selecting the Bubble option. It’s best suited for your two or three-app workflows, letting you access them one after the other with a single tap on the screen. On foldables and tablets, bubbles dock into a dedicated bar at the bottom of the display. 

Android 17 also gets Screen Reactions, a feature that lets you record your phone’s screen along with your face (via the front-facing camera) simultaneously. It’s primarily for content creators, who can now make reaction videos without opening an editing app. 

What about gaming, security, and everything else?

On the gaming side, foldables get a new 50/50 layout with the game view up top and a dynamic gamepad below. Google has also made memory cleanup more efficient, so that gamers don’t experience frame drops and stutters while playing demanding video games. 

Security gets a meaningful upgrade with features like temporary location permissions and contact-level sharing controls (vs. sharing the entire address book). The Mark as Lost feature in the Find Hub now locks your phone via biometrics so nobody can unlock and reset it with the passcode.

Google also caps PIN guessing, with longer wait times between failed attempts. Rounding out the Android 17 update are hidden app names on the home screen, a dedicated volume slider for your AI assistant (Gemini on Pixel phones), Parental Controls expanding to all Android devices, and app memory limits for preserving system resources.  

Today is the day 👀

— Android Developers (@AndroidDev) June 16, 2026

While Pixel phones are the first to get the update, expect other OEMs to announce their Android 17-based updates in the coming weeks. Samsung, for instance, is expected to roll out One UI 9 at the second Galaxy Unpacked event of the year, rumored to take place on July 22, 2026. Other brands like OnePlus should follow soon.



Source link