Merten KNX devices
Plan Patch8.3SEVD-2023-045-03Feb 14, 2023
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Merten KNX home automation products contain a vulnerability in the BCU (Backup Control Unit) key authentication mechanism. The affected products include button modules, switch interfaces, motion sensors, dimmer units, and relay switches used for lighting and temperature control in buildings. An attacker could exploit weak authentication to compromise the BCU key, gaining unauthorized control over the device. No patches are available for any of the affected products, and several have been discontinued.
What this means
What could happen
An attacker on the local network could bypass authentication on Merten KNX devices and compromise the backup control unit (BCU) key, potentially allowing unauthorized control of lighting and temperature systems or device modification.
Who's at risk
Lighting and temperature control operators using Merten KNX devices in building automation systems should care about this issue. Affected products include button modules (taster modules), switch interfaces, motion sensors (ARGUS), dimmer units, and relay switches installed in commercial and residential buildings. Several products are discontinued but may still be in use.
How it could be exploited
An attacker with access to the KNX network (adjacent network segment) can exploit weak authentication on the BCU key without needing valid credentials. Once the key is compromised, the attacker gains control over the device's configuration and operation.
Prerequisites
- Network access to the KNX device bus or wired connection to the device
- No valid credentials required
- Physical proximity or local network connectivity to the KNX installation
No authentication requiredLow complexity attackNo patch availableLocally exploitable via KNX networkAffects building automation and safety controls
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (9)
9 EOL
ProductAffected VersionsFix Status
Merten Tasterschnittstelle 4fach plus 6708041.0No fix (EOL)
Merten KNX ARGUS 180/2,20M UP SYSTEM 6317251.0No fix (EOL)
Merten Jalousie-/Schaltaktor REG-K/8x/16x/10 m. HB 649908 (Product discontinued)1.0No fix (EOL)
Merten KNX Schaltakt.2x6A UP m.2 Eing. MEG6003-0002 (Product discontinued)0.1No fix (EOL)
Merten INSTABUS Tastermodul 1fach System M 6251991.0No fix (EOL)
Merten INSTABUS Tastermodul 2fach System M 6252991.0No fix (EOL)
Merten Tasterschnittstelle 4fach plus 6708041.2No fix (EOL)
Merten KNX Uni-Dimmaktor LL REG-K/2x230/300 W MEG6710-0002 (Product discontinued)1.0No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2HARDENINGRestrict physical access to KNX controllers and devices with locked cabinets; ensure devices are not left in Program mode
WORKAROUNDScan all removable media (USB drives, CDs) for malware before connecting to KNX network devices
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGKeep programming workstations isolated and never connect programming software to networks outside the intended KNX network
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: Merten Tasterschnittstelle 4fach plus 670804, Merten KNX ARGUS 180/2,20M UP SYSTEM 631725, Merten Jalousie-/Schaltaktor REG-K/8x/16x/10 m. HB 649908 (Product discontinued), Merten KNX Schaltakt.2x6A UP m.2 Eing. MEG6003-0002 (Product discontinued), Merten INSTABUS Tastermodul 1fach System M 625199, Merten INSTABUS Tastermodul 2fach System M 625299, Merten Tasterschnittstelle 4fach plus 670804, Merten KNX Uni-Dimmaktor LL REG-K/2x230/300 W MEG6710-0002 (Product discontinued), Merten KNX Uni-Dimmaktor LL REG-K/2x230/300 W MEG6710-0002 (Product discontinued). Apply the following compensating controls:
HARDENINGIsolate all KNX control networks behind a firewall and separate from business/IT networks
HARDENINGPrevent mobile devices from connecting to KNX networks unless they have only connected to that network previously
HARDENINGMinimize internet exposure for all KNX devices; ensure they are not directly reachable from the internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b76db780-39c9-43aa-aef1-76e9661e0da6