Third-Party vulnerability on Modicon Networking Managed Switches

Act NowCVSS 9SEVD-2026-104-02Apr 14, 2026

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Schneider Electric Modicon and Connexium Managed Switches are vulnerable to RADIUS protocol response forgery attacks. The vulnerability exists only when the RADIUS Server Message Authenticator option is disabled (non-default configuration). A network-positioned attacker can forge RADIUS responses to bypass authentication, modify valid responses (Access-Accept, Access-Reject, Access-Challenge), potentially causing denial of service or loss of confidentiality and integrity of connected devices. The default RADIUS configuration is not vulnerable; the Message Authenticator option must remain enabled to prevent exploitation.

What this means

What could happen

An attacker with network access to a Modicon switch using RADIUS authentication could forge RADIUS responses to bypass authentication, gain unauthorized access to the network switch, and potentially deny service to devices connected to it or intercept their communications.

Who's at risk

Energy sector operators running Modicon Managed Switches, Modicon Redundancy Switches, or Connexium Managed Switches as network backbone infrastructure for industrial control systems. This affects any facility using these switches for authentication and network access control of ICS devices.

How it could be exploited

An attacker on the network segment containing the switch intercepts RADIUS authentication traffic between the switch and its RADIUS server. If the RADIUS Message Authenticator option is disabled (non-default configuration), the attacker can craft forged RADIUS responses (Access-Accept, Access-Reject, or Access-Challenge) that the switch will accept, bypassing authentication or forcing denial of service.

Prerequisites

Network access to RADIUS authentication traffic (same network segment as switch and RADIUS server)
RADIUS Message Authenticator option must be disabled on the affected switch (non-default configuration)
Switch using RADIUS for authentication

remotely exploitablehigh EPSS score (12.3%)affects network infrastructure used in safety-critical systemsauthentication bypass possible

Exploitability

Likely to be exploited — EPSS score 12.3%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (3)

3 pending

ProductAffected VersionsFix Status

Connexium Managed Switches All VersionsAll versionsNo fix yet

Modicon Managed Switches All VersionsAll versionsNo fix yet

Modicon Redundancy Switches All VersionsAll versionsNo fix yet

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGVerify that RADIUS Server Message Authenticator option is enabled (default state) on all Modicon and Connexium Managed Switches via CLI or SNMP configuration

HARDENINGIf RADIUS Message Authenticator has been disabled, re-enable it immediately using CLI command 'radius server auth modify <index> msgauth' or SNMP MIB hm2AgentRadiusServerMsgAuth

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRestrict network access to RADIUS server ports from only authorized network segments and devices using network segmentation or firewall rules

CVEs (1)

CVE-2024-3596

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a07c6eeb-2678-4c11-97cf-af35e6f3d357

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.