---
title: "Critical RADIUS Vulnerability in Schneider Electric Modicon Switches Exposed"
short_title: "Critical flaw in Schneider Electric Modicon switches"
description: "Schneider Electric warns of a critical RADIUS protocol vulnerability in Modicon switches, risking denial of service and data breaches. Learn mitigation steps now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [schneider-electric, radius-vulnerability, cve-2024-3596, industrial-cybersecurity, modicon-switches]
score: 0.85
cve_ids: [CVE-2024-3596]
---
## TL;DR
Schneider Electric has identified a critical RADIUS protocol vulnerability (CVE-2024-3596) in its Modicon Network Managed Switches. If exploited, this flaw could allow attackers to forge responses, modify device behavior, and cause denial of service or data breaches. All versions of Connexium, Modicon, and Modicon Redundancy Switches are affected. Immediate mitigation is required to prevent exploitation.
Main Content
### Introduction
Schneider Electric has issued an urgent advisory regarding a critical vulnerability in its Modicon Network Managed Switches, which are widely used in industrial environments. The flaw, tracked as CVE-2024-3596, stems from an improper enforcement of message integrity in the RADIUS protocol. This vulnerability could enable threat actors to alter legitimate responses, leading to denial of service (DoS), loss of confidentiality, and integrity breaches in connected devices. Organizations relying on these switches must act swiftly to apply mitigations.
### Key Points
- Vulnerability Impact: The flaw allows attackers to forge RADIUS protocol responses, potentially modifying Access-Accept, Access-Reject, or Access-Challenge messages.
- Affected Products: All versions of Connexium Managed Switches, Modicon Managed Switches, and Modicon Redundancy Switches are vulnerable.
- CVSS Score: The vulnerability has a critical CVSS v3 score of 9.0, indicating severe risk.
- Mitigation: Schneider Electric recommends enabling the RADIUS Server Message Authenticator option to prevent exploitation.
- Critical Sectors: The flaw impacts multiple sectors, including energy, water, transportation, and government facilities.
### Technical Details
The vulnerability (CVE-2024-3596) is classified under CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel. It arises when the RADIUS Server Message Authenticator option is disabled, leaving the system vulnerable to forgery attacks. Attackers can exploit this flaw to:
- Modify legitimate RADIUS responses, altering device behavior.
- Cause denial of service (DoS) by disrupting network communications.
- Compromise confidentiality and integrity of data transmitted through affected switches.
The CVSS v3.1 vector string for this vulnerability is:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, reflecting its high impact on confidentiality, integrity, and availability.
### Affected Systems
The following Schneider Electric Modicon Network Managed Switches are affected:
- Connexium Managed Switches (all versions)
- Modicon Managed Switches (all versions)
- Modicon Redundancy Switches (all versions)
### Mitigation Steps
Schneider Electric has provided the following mitigations to address the vulnerability:
1. Enable RADIUS Server Message Authenticator:
- The default configuration is not vulnerable, but if the RADIUS Server Message Authenticator option is disabled, the system becomes exposed.
- Ensure this parameter is enabled via CLI or SNMP for all affected switch models.
2. Configuration Commands:
- **For TCSESM switches*:
- CLI: radius server msgauth
- SNMP: hmAgentRadiusServerMsgAuth
- **For MCSESM and MCSESP switches**:
- CLI: radius server auth modify msgauth
- SNMP: hm2AgentRadiusServerMsgAuth
- **For MCSESR switches*:
- CLI: radius server auth modify msgauth
- SNMP: hm2AgentRadiusServerMsgAuth
3. Network Segmentation:
- Isolate control and safety system networks from business networks using firewalls.
- Restrict physical access to industrial control systems (ICS) and peripheral devices.
4. Secure Remote Access:
- Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Avoid connecting mobile devices to isolated networks without proper sanitation.
### Impact Assessment
The vulnerability poses a significant risk to organizations relying on Schneider Electric Modicon switches. Potential consequences include:
- Denial of Service (DoS): Attackers could disrupt network operations, leading to downtime in critical infrastructure.
- Data Breaches: Unauthorized modification of RADIUS responses could expose sensitive data.
- Integrity Violations: Legitimate responses could be altered, leading to unauthorized access or malicious actions.
Given the global deployment of these switches across critical infrastructure sectors, the flaw could have far-reaching implications for industrial cybersecurity.
### Attack Vector
The vulnerability is exploited by intercepting and forging RADIUS protocol messages. Attackers with access to the network can:
1. Monitor RADIUS communications between the switch and the authentication server.
2. Forge responses to legitimate requests, altering device behavior.
3. Bypass authentication or cause DoS conditions by modifying responses.
## Conclusion
Schneider Electric’s advisory highlights the critical nature of CVE-2024-3596, a vulnerability that could compromise the security and reliability of industrial networks. Organizations using Modicon Network Managed Switches must immediately enable the RADIUS Server Message Authenticator and follow best practices for network segmentation and remote access. Failure to act could result in severe operational disruptions, data breaches, and integrity violations.
For further assistance, contact Schneider Electric’s Industrial Cybersecurity Services or visit their cybersecurity support portal.
## References
[^1]: Schneider Electric. "ICSA-26-160-01: Schneider Electric Modicon Network Managed Switches". Retrieved 2025-01-24.
[^2]: CVE. "CVE-2024-3596 Detail". Retrieved 2025-01-24.
[^3]: CISA. "Recommended Cybersecurity Best Practices". Retrieved 2025-01-24.
[^4]: Schneider Electric. "Cybersecurity Support Portal". Retrieved 2025-01-24.