CVE-2023-25556

HIGH

Schneider Electric Merten KNX Devices - Improper Authentication via Short Key Entry

Title source: llm

Description

A CWE-287: Improper Authentication vulnerability exists that could allow a device to be compromised when a key of less than seven digits is entered and the attacker has access to the KNX installation.

References (1)

Core 1

Core References

Vendor Advisory

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-045-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-045-03.pdf

Scores

CVSS v3 8.3

EPSS 0.0010

EPSS Percentile 28.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (9)

schneider-electric/merten_instabus_tastermodul_1fach_system_m_firmware 1.0

schneider-electric/merten_instabus_tastermodul_2fach_system_m_firmware 1.0

schneider-electric/merten_jalousie-\/schaltaktor_reg-k\/8x\/16x\/10_m._hb_firmware 1.0

schneider-electric/merten_knx_argus_180\/2\,20m_up_system_firmware 1.0

schneider-electric/merten_knx_schaltakt.2x6a_up_m.2_eing._firmware 0.1

schneider-electric/merten_knx_uni-dimmaktor_ll_reg-k\/2x230\/300_w_firmware 1.0

schneider-electric/merten_knx_uni-dimmaktor_ll_reg-k\/2x230\/300_w_firmware 1.1

schneider-electric/merten_tasterschnittstelle_4fach_plus_firmware 1.0

schneider-electric/merten_tasterschnittstelle_4fach_plus_firmware 1.2

Published Apr 18, 2023

Tracked Since Feb 18, 2026