Schneider Electric Modicon and Connexium Managed Switches — RADIUS Protocol Authentication Forgery Vulnerability (CVE-2024-3596)
Schneider Electric has disclosed a critical security vulnerability affecting its Connexium and Modicon families of managed network switches, which are widely deployed as network access control enforcement points in industrial and operational technology environments. The vulnerability, tracked as CVE-2024-3596 with a CVSS v3.1 score of 9.0 (Critical), stems from a fundamental cryptographic weakness in the RADIUS authentication protocol (RFC 2865) that allows an on-path attacker to forge authentication responses — potentially granting unauthorized devices access to protected network segments without valid credentials.
CVE-2024-3596 exploits the MD5-based Response Authenticator field in the RADIUS protocol specification. An attacker with a man-in-the-middle position between a RADIUS client (the managed switch) and its authentication server can execute a chosen-prefix collision attack against the MD5 hash, modifying any legitimate authentication response — converting an Access-Reject into an Access-Accept — without either party detecting the tampering. This class of attack, known as "BlastRADIUS," requires only interception capability on the network path between the switch and RADIUS server, and does not require authentication credentials or endpoint software compromise.
The affected devices — Connexium Managed Switches (TCSESM* model series), Modicon Managed Switches (MCSESM*, MCSESP*), and Modicon Redundancy Switches (MCSESR*) — are integral to OT network infrastructure across critical industries including energy, water, manufacturing, and transportation. All versions of these devices are affected. No firmware patch is currently available; remediation requires configuration changes to enforce the RADIUS Message Authenticator attribute, which provides an HMAC-MD5 integrity check over the full RADIUS packet and significantly raises the bar for forgery attacks.
Threats and Vulnerabilities
CVE-2024-3596, with a CVSS v3.1 score of 9.0 (Critical), carries a network attack vector with no required privileges and no user interaction, though it demands high attack complexity due to the need for an on-path man-in-the-middle position between a RADIUS client and server. The vulnerability is classified under CWE-354 (Improper Validation of Integrity Check Value) and CWE-924 (Improper Enforcement of Message Integrity During Transmission in a Communication Channel). The root cause is the RADIUS protocol's reliance on MD5 — a cryptographically broken hash function — to authenticate server responses; an attacker who can intercept RADIUS UDP traffic on ports 1812 or 1645 can compute a chosen-prefix collision that produces a valid MD5 Response Authenticator for a forged packet, effectively converting any legitimate response into an arbitrary one of the attacker's choosing. All versions of Connexium Managed Switches (TCSESM*), Modicon Managed Switches (MCSESM*, MCSESP*), and Modicon Redundancy Switches (MCSESR*) are vulnerable when configured to use RADIUS authentication and when enforcement of the Message Authenticator attribute is not enabled. No active exploitation targeting Schneider Electric products has been confirmed at this time, and CVE-2024-3596 does not currently appear in the CISA Known Exploited Vulnerabilities catalog.
Client Impact
Organizations using affected Connexium or Modicon managed switches as RADIUS-enabled 802.1X network access control points face the risk of unauthorized devices obtaining authenticated network admission without valid credentials. In OT and industrial environments — where these switches frequently govern access to production VLANs, process control networks, historian segments, and safety instrumented systems — a successful forgery attack could allow a rogue endpoint to appear fully authenticated, bypassing the primary access control perimeter. Once admitted, an unauthorized device could attempt lateral movement toward programmable logic controllers, engineering workstations, HMIs, or distributed control system components. Because no firmware update is currently available, environments relying solely on RADIUS for 802.1X port authentication operate with a structurally weakened network access control boundary until configuration mitigations are applied.
Organizations subject to NERC CIP standards, ISA/IEC 62443, or NIST SP 800-82 guidance face compliance considerations from this disclosure. NERC CIP-005 requires documented and enforced electronic security perimeters; a cryptographically compromised authentication mechanism underlying those perimeters may constitute a control deficiency requiring risk documentation, compensating control implementation, or both. Organizations in the electric utility, oil and gas, water and wastewater, and manufacturing sectors should assess whether affected switch deployments represent a gap in their current compliance posture and maintain records of interim mitigation actions pending vendor patch availability.
Mitigations
To reduce exposure to CVE-2024-3596, the following actions are recommended:
1. Enable enforcement of the RADIUS Message Authenticator attribute on all affected Connexium and Modicon managed switches using the device-specific CLI or SNMP parameters documented in SEVD-2026-104-02; this attribute provides an HMAC-MD5 integrity check over the full RADIUS packet and is disabled by default on these devices.
2. Restrict RADIUS authentication traffic to dedicated, isolated management VLANs and enforce access control lists that limit which network hosts may originate or receive RADIUS protocol communications on UDP ports 1812 and 1645.
3. Monitor RADIUS server and NPS event logs for anomalies, including Access-Accept responses for devices not matching known MAC address or certificate profiles, unexpected authentication cycling, or Access-Accept events following prior rejections for the same supplicant.
4. Evaluate migration from RADIUS/MD5 to RADIUS over TLS (RADSEC, RFC 6614) or certificate-based 802.1X authentication (EAP-TLS), which are not subject to MD5 collision vulnerabilities and provide mutual authentication with forward secrecy.
5. Apply network microsegmentation and additional access controls within OT-critical VLANs — do not rely on 802.1X port authentication as the sole control for access to PLC, HMI, or safety system segments; ensure unauthorized devices admitted to an access-controlled segment cannot directly reach critical OT assets.
Monitor Schneider Electric's ProductCERT security notification portal and CISA ICS-CERT for firmware updates addressing this vulnerability as they become available.
1898 & Co. Response
1898 & Co. provides ongoing monitoring of critical vulnerability disclosures affecting industrial control systems and operational technology environments as part of its managed security services portfolio. Our threat intelligence team tracks Schneider Electric ProductCERT advisories and CISA ICS-CERT publications to identify vulnerabilities relevant to our clients' OT infrastructure and deliver timely, actionable guidance that accounts for the operational constraints common in industrial environments.
When vulnerabilities affecting network-layer authentication infrastructure are disclosed — particularly in OT environments where traditional endpoint patching cycles may not apply — our team develops tailored mitigation guidance that addresses change control windows, production uptime requirements, and the absence of vendor firmware patches. Our OT security specialists can assist clients in implementing RADIUS configuration hardening, assessing 802.1X deployment architecture, and evaluating alternative authentication frameworks suited to industrial environments.
1898 & Co. maintains active awareness of Schneider Electric's ProductCERT disclosure lifecycle and will alert clients when firmware updates addressing CVE-2024-3596 become available. Clients with questions about the applicability of this vulnerability to their specific Connexium or Modicon switch deployments, or who require assistance planning configuration remediations within operational windows, are encouraged to engage our OT security team directly.
Sources
1. Schneider Electric Security Notification SEVD-2026-104-02