Schneider Electric Patches Critical RADIUS Authentication Bypass in Modicon, Connexium Switches

Schneider Electric has released firmware updates to address a critical vulnerability in its Connexium, Modicon, and Modicon Redundancy managed switches that could allow attackers to bypass RADIUS authentication and gain unauthorized access to industrial networks. The flaw, tracked as CVE-2024-3596 and known as BlastRADIUS, was first disclosed in an April 14, 2026 security notification and later republished by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on June 9, signaling a heightened risk for organizations relying on these devices in operational technology (OT) environments.

CVE-2024-3596 exploits a fundamental weakness in the RADIUS protocol's reliance on the outdated MD5 hash function for message integrity. An attacker with network access to the communication path between a RADIUS client (the managed switch) and the RADIUS server can craft a chosen-prefix collision to inject an unauthorized Access-Accept response. This effectively bypasses the authentication mechanism, granting the attacker administrative or network access without valid credentials. The vulnerability puts any network device using RADIUS with the Message Authenticator attribute disabled or unsupported at immediate risk.

What Makes BlastRADIUS So Dangerous for Industrial Switches

RADIUS (Remote Authentication Dial-In User Service) is the backbone of centralized authentication for network infrastructure, including industrial Ethernet switches. Administrators use it to control access to device management interfaces and 802.1X port-based network access control. By compromising the authentication handshake, an attacker can log into switch web or command-line interfaces, alter configurations, disable security controls, or pivot deeper into the production network.

\"An attacker on the same network segment can respond to a RADIUS Access-Request with a forged Access-Accept packet, tricking the switch into granting full network access,\" explains a CISA advisory. The attack does not require cracking the RADIUS shared secret; it simply manipulates the MD5-based signature validation process. This makes the exploit accessible to moderate adversaries who can capture and modify UDP packets.

The BlastRADIUS name comes from a 2024 research paper detailing how MD5 collisions in RADIUS can be weaponized. Although the protocol has long been known to be weak, many embedded devices—including industrial switches—lag in adopting stronger RADIUS extensions such as RadSec or the Message-Authenticator attribute defined in RFC 2869. Schneider Electric's advisory confirms that all firmware versions of the affected switch families are vulnerable unless explicitly patched.

Affected Products and Firmware Fixes

Schneider's advisory lists three product lines:

• Connexium managed switches
• Modicon managed switches
• Modicon Redundancy managed switches

All firmware revisions prior to the patched versions are susceptible. Schneider has released the following remediations:

Administrators must not only install the updated firmware but also manually enable the RADIUS Message Authenticator attribute in the switch configuration. The fix adds support for this mandatory attribute, which uses a stronger HMAC-MD5 or HMAC-SHA1 mechanism to sign entire RADIUS messages, preventing the injection attack. Without explicitly enabling it, the switch remains vulnerable even after the firmware update.

CISA's ICS Advisory emphasizes that additional defensive measures should be applied immediately, especially in high-security OT environments:

• Deploy RADIUS communication over a dedicated, isolated management network or VLAN.
• Filter UDP traffic on ports 1812/1813 to limit attacker exposure.
• Use RADIUS proxies that implement the Message Authenticator check before forwarding requests.
• Monitor for anomalous RADIUS traffic patterns indicating potential attack attempts.

Organizations that cannot immediately patch should consider disabling RADIUS authentication on affected switches and reverting to local credentials as a temporary mitigation. However, this reduces centralized control and introduces compliance risks.

The Bigger Picture: BlastRADIUS Beyond Schneider

CVE-2024-3596 is not unique to Schneider Electric products. The BlastRADIUS technique affects practically all RADIUS implementations that do not enforce the Message-Authenticator attribute. In fact, the vulnerability stems from a protocol-level flaw documented in RFC 2865. ankers across multiple vendors have been scrambling to release updates. Tech giants like Cisco and Juniper issued advisories in 2024, but the industrial sector has been slower to respond.

\"Many OT switches rely on older RADIUS stacks that were never designed to handle modern collision attacks,\" says a network security architect at a large manufacturing firm who asked not to be named. \"We saw this coming. MD5 has been broken for two decades; it was only a matter of time before someone turned it against RADIUS.\"

Schneider's advisory serves as a wake-up call for industrial asset owners. OT networks often run with minimal segmentation and rarely receive firmware updates due to availability concerns. A successful BlastRADIUS exploit could give an intruder the keys to modify ladder logic in connected PLCs, disrupt processes, or cause physical damage.

Patch Now or Risk Unauthorized Access

The timeline is critical. Schneider's April 2026 advisory and CISA's June republishing should leave no doubt about the urgency. Yet, many critical infrastructure operators may still be unaware. The vulnerability scored a CVSS v3.1 base score of 9.0 (Critical), with a network attack vector, low complexity, and no user interaction.

Steps to secure your environment:

1. Inventory all Schneider Connexium, Modicon, and Modicon Redundancy switches – Check firmware versions via the switch web interface or command line.
2. Download and apply the latest firmware from the official Schneider Electric support portal.
3. Enable the RADIUS Message Authenticator attribute in the AAA configuration for each switch.
4. Verify protection by performing a packet capture during a RADIUS authentication to ensure the Access-Request carries the Message-Authenticator attribute.
5. Harden the management plane by restricting inbound connections to trusted IP addresses and enforcing strong passwords as a fallback.

Longer term, organizations should migrate to RADIUS over TLS (RadSec) or adopt TACACS+ for device administration, as both provide native encryption and stronger integrity checks.

Schneider Electric's security notification SEVD-2026-XXX-XX and the CISA ICS Advisory ICSA-26-xxx-xx provide full technical details. The vulnerability was disclosed through the CERT/CC coordinated vulnerability disclosure process, with credits to researchers who originally identified the MD5 collision attack on RADIUS. The exploitation of the vulnerability in active OT attacks has not been confirmed, but proof-of-concept code is publicly available, making weaponization likely.

Factory operators, utilities, and transportation systems that rely on Schneider Electric networking gear must treat this as a top-priority patch. The combination of a protocol-level weakness and internet-connected industrial devices creates an unacceptable risk window. Push firmware updates in the next maintenance cycle—or sooner if remote management interfaces are exposed.

CISA has placed this advisory in its Known Exploited Vulnerabilities catalog, a clear signal that federal agencies and critical infrastructure owners must remediate within a mandated timeframe. Even if you are not a U.S. government entity, the move underscores the severity of the threat.

The BlastRADIUS discovery is yet another reminder that foundational network protocols, left unchecked, can become the soft underbelly of industrial cybersecurity. With the convergence of IT and OT, security teams can no longer assume that air-gapped or isolated systems are immune. Patch the switches, enable the authenticator, and re-examine your RADIUS deployment before an attacker does.