Exploits

KNX Visualisering Broken Access Control Exposes Panels

Published  ·  5 min read

Vulnerability in KNX visualisering panels can compromise the smart building control system due to an unauthorized access attack. The vulnerability is brought about by poor access controls and the absence of any form of rate limiting when entering the pin codes. 

Attackers who lack any means of authenticating themselves can hack into the panel.

What is KNX Visualisering?

KNX is a standard which is used extensively for building automation. This is used to automate processes like lighting control, blind operation, heating, ventilation, and even security in residential or business buildings. 

KNX visualisering panels help to offer touch screens for controlling such tasks in a centralized manner and can even be done remotely through the internet.

The Vulnerability

The KNX visualisering broken access control vulnerability permits an attacker to take control of the panel through brute forcing the pin code. There is no rate limiting on the pin verification endpoint, so the attacker will not get limited by the number of attempts made.

It is possible for the attacker to locate the exposed KNX visualisering panels through the use of search engines such as Shodan, ZoomEye, and Fofa. Dorks for these platforms provide thousands of such panels which are available online. 

After locating the panels, the attacker can brute force the pin code using Burp Suite. The length of the pin is variable in different panels, but there is no rate limitation, making the enumeration easy. Brute force attacks are also a common method for bypassing authentication controls.

How the Attack is Performed

Initially, the attack involves using dorks from Shodan to locate any KNX visualization panels that are available. The usage of the query "KNX visualisering" results in obtaining the list of panels available by HTTP protocol. 

In order to attack one of the panels, the attacker needs to use the following POST request to the PIN authentication URL:

POST /scada-vis/pin?return=index HTTP/1.1
Host: 62.163.74.206
Content-Type: application/x-www-form-urlencoded

pin=123456

Using trial and error, the attacker immediately establishes that the pin has a length of six characters. Using Burp Suite's Intruder component, the attacker performs a brute-force attack on the pin box between 000000 to 999999. 

Once the pin is correctly guessed, the attacker gets a 302 response code from the server, along with a session cookie:

HTTP/1.1 302 Moved Temporarily
Set-Cookie: pin=200908; Path=/
Location: /scada-vis/index

Once the pin is correctly identified, the attacker gains access to all functionalities of the KNX visualization panel. In other cases, panels lack any type of security and can be accessed straight away. 

The attacker thus has full control over the building's automation system. They can alter lighting, heating, security systems, and even disrupt operations.

Real-World Examples

The exploit document includes specific examples of vulnerable panels:

  • https://85.147.34.42/scada-vis - No authentication required
  • https://185.72.160.230/scada-vis - No authentication required

These panels expose SCADA-like visualisation interfaces to the public internet. SCADAvis is a synoptic panel plugin for Grafana that provides powerful SCADA-like graphics. When exposed without proper controls, these systems become accessible to anyone.

Why This Matters

Smart building panels control critical infrastructure. A breached panel can compromise business operations, alter environment control settings and may result in hazardous situations. For commercial buildings, the attacker can tamper with the security system or the HVAC control and even commit physical damage. 

With no rate limiting or proper access controls in place, these panels are highly vulnerable to exploitation. As per the author of the exploit, “most panels don’t require authentication” a significant oversight in smart building security.

Protecting your KNX panels

The following actions should be taken to mitigate the vulnerability of KNX visualisering broken access control:

  • Use strict authentication procedures by implementing authentication for all access, both local and remote.
  • Limit the amount of login attempt on a particular IP address.
  • Limit the exposure of your system to the internet by implementing IP whitelisting or the use of a virtual private network.
  • Inspect the logs for anything that is suspicious regarding the logins and any attempts made through brute force.
  • Ensure that all updates regarding the problem with access control issued by the vendor are installed.

The use of rate limiting middleware may be implemented on the application level with the help of such packages as RateLimit package for .NET or similar solutions for other platforms. Rate limiting is a critical defence against brute force attacks.

The Bottom Line

The KNX Visualisering Broken Access Control vulnerability is a critical threat to smart building security. Exposed panels, weak authentication, and lack of rate limiting provide an easy way in for hackers. 

The building owners and system integrators need to review and secure their installations and apply appropriate controls.

FAQ Section

What is KNX visualisering?

KNX visualisering is a centralised touchscreen interface for managing KNX smart building systems, including lighting, blinds, heating, and security.

What is the vulnerability of KNX panels?

The vulnerability of KNX panels is weak access control along with an absence of rate limiting when entering pin codes.

How do attackers discover exposed panels?

Attackers scan the Internet with search engines such as Shodan, ZoomEye, and Fofa with dorks like title:"KNX visualisering" to find panels accessible over the internet.

Could it be possible that all KNX panels are vulnerable to this kind of vulnerability?

Not all panels are vulnerable to this type of attack. This may vary depending upon the configuration and the internet access. Nevertheless, most of the panels are vulnerable by default.

How can I protect my KNX panel from this kind of threat?

You need to perform proper authentication, rate limiting, minimal internet access, and also look at the logs and apply vendor security updates.

Source: Exploit DB
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067