Schneider Electric’s April 14, 2026 advisory, republished by CISA on June 9, warns that all versions of its Connexium, Modicon, and Modicon Redundancy managed switches can be exposed to CVE-2024-3596 if administrators disable RADIUS Message-Authenticator protection. The alert is not about a newly discovered Schneider coding mistake so much as an old authentication protocol finally colliding with the realities of industrial Ethernet. For plant operators, water utilities, energy firms, and facilities teams, the uncomfortable lesson is simple: a checkbox left in the wrong state can turn a managed switch into a trust boundary that trusts too much.
The vulnerability carries a CVSS 3.1 score of 9.0, which is enough to make any security dashboard flash red. But the detail that matters most is quieter: Schneider says the default RADIUS configuration is not vulnerable. The danger appears when the RADIUS Server Message Authenticator option is disabled, creating room for response forgery attacks that could alter Access-Accept, Access-Reject, or Access-Challenge messages.
That distinction is the story. Industrial cybersecurity is often sold as a contest between attackers and exotic zero-days. Here, the risk sits in a familiar administrative seam: legacy protocol behavior, interoperability pressure, and device configurations that may have been changed years ago to make authentication “just work.”
CVE-2024-3596 is better known in security circles as the BlastRADIUS class of attack, a weakness in how classic RADIUS authentication can be abused when message integrity is not properly enforced. RADIUS has been a workhorse for decades, quietly handling authentication for VPNs, Wi-Fi, switches, routers, and administrative logins. Its longevity is part of the problem: protocols designed for older assumptions do not always age cleanly into hostile, segmented-but-still-connected industrial networks.
The relevant failure mode is not that an attacker guesses a password or exploits a web panel. It is that an attacker positioned between a RADIUS client and server may be able to tamper with the authentication conversation when the Message-Authenticator attribute is not required. In practical terms, the attacker aims to transform what should have been one authentication outcome into another.
That is why the Schneider advisory’s wording is so stark. It warns that a valid response could be modified into another response, opening the door to denial of service and loss of confidentiality or integrity for devices connected to the switch. In a conventional IT network, that is serious. In an operational technology environment, where switches often sit close to controllers, human-machine interfaces, drives, meters, and safety-adjacent systems, it becomes a governance problem as much as a network problem.
The affected product families are broad: Connexium Managed Switches, Modicon Managed Switches, and Modicon Redundancy Switches, all listed as affected across all versions. That does not mean every deployed switch is presently exploitable. It means every operator using these product lines should assume the configuration deserves inspection.
Industrial networks accumulate exceptions. A switch installed during a line expansion may have been configured by an integrator who is no longer under contract. A RADIUS server migration may have led someone to disable stricter message handling to restore access for a maintenance window. A redundancy switch may have inherited a template copied from a neighboring site, then survived three plant managers and two cybersecurity programs.
The operational question is therefore not, “Are Schneider defaults safe?” It is, “What is actually running in the cabinets?” That question is harder, more expensive, and more politically inconvenient than reading a vendor advisory.
Schneider’s mitigation is specific. For TCSESM-series Connexium switches, administrators should keep the Message Authenticator setting enabled through the CLI command
That level of detail matters because many industrial sites do not patch switches casually. If the mitigation is a configuration validation rather than a firmware replacement, it can be folded into a planned audit, a maintenance window, or an asset-management sweep. But it also removes a common excuse: no one has to wait for a vendor image to confirm whether the dangerous state exists.
That bargain worked because RADIUS was “good enough” across many environments. It was lightweight, widely supported, and deeply embedded in network access control designs. It also retained compatibility assumptions that made sense when networks were smaller, more trusted, and less exposed to sophisticated man-in-the-middle attacks.
BlastRADIUS forced the industry to revisit that bargain. The attack family highlighted that deployments lacking proper Message-Authenticator enforcement could be vulnerable even if the surrounding authentication architecture looked mature on paper. The weakness is especially awkward because it does not map neatly to a single vendor. It is a protocol problem expressed through product behavior and configuration choices.
This is where the Schneider advisory becomes more than a Schneider story. Industrial networks are full of equipment that delegates trust to shared services: RADIUS, LDAP, Active Directory, certificate authorities, jump servers, VPN concentrators, and time sources. When one of those trust mechanisms is weakened, the blast radius is measured not only in affected products but in the assumptions built around them.
Schneider’s Modicon and Connexium families exist in that world. These are not consumer routers forgotten under a desk. They are infrastructure pieces used to connect industrial Ethernet devices and provide managed switching features in environments where uptime, determinism, and physical placement matter.
That makes authentication integrity especially important. If administrative access to a switch is mediated through RADIUS, a forged authentication response is not an abstract cryptographic defect. It potentially affects who can log in, who can change configuration, and whether access controls behave as designed.
The advisory lists possible consequences as denial of service and loss of confidentiality or integrity for connected devices. That phrasing is deliberately broad, and operators should resist both panic and complacency. A vulnerable RADIUS exchange does not automatically mean a plant shutdown is imminent. It does mean a security control that many organizations treat as central may be weaker than expected under specific network-positioning conditions.
But in industrial environments, “on path” is not a fantasy scenario. Contractors connect laptops. Remote support paths exist. Corporate and plant networks may be segmented in diagrams more cleanly than in switches. Temporary wireless bridges, unmanaged field devices, misconfigured firewalls, and legacy routing decisions all create opportunities for traffic interception or manipulation.
The security industry sometimes talks about on-path attackers as though they are rare apex predators. In practice, on-path access can be the second act of a very ordinary intrusion. Compromise a poorly managed jump host, land on a monitoring server, abuse a flat management VLAN, or pivot through a vendor remote-access appliance, and the once-theoretical position starts to look more attainable.
That is why CISA’s familiar recommendations remain relevant even when they sound generic. Keep control-system devices off the public internet. Put control and safety networks behind firewalls. Separate business networks from operational networks. Use secure remote-access methods and keep those access tools patched. These are not slogans; they are the compensating controls that prevent a protocol weakness from becoming an operational incident.
When RADIUS behavior changes, Windows administrators often feel it. Network Policy Server deployments may need policy review. Authentication logs may become the first signal that a stricter Message-Authenticator requirement has broken a legacy client. Domain groups that grant switch administration rights may suddenly become more sensitive because the path between switch and RADIUS server is under scrutiny.
Microsoft previously issued guidance around managing RADIUS Access-Request behavior associated with CVE-2024-3596, and enterprise administrators have already seen the broader industry effect: vendors tightening RADIUS enforcement, network devices rejecting older exchanges, and once-stable authentication flows failing after security updates. That is the other side of remediation. Fixing protocol trust can break assumptions that were never documented.
The right response is not to disable the protection again and move on. It is to map which switches use RADIUS, which servers answer them, which attributes are required, and which management paths could observe or alter that traffic. If Windows NPS is in the path, it should be treated as part of the industrial identity plane, not merely as a back-office service.
That is the governance trap. A setting on a switch can be simple to verify and still difficult to change because no single team feels authorized to touch it. In industrial environments, that hesitation is understandable. A botched switch configuration can affect production, safety monitoring, or remote support.
Still, there is a difference between cautious change control and unmanaged risk. The advisory does not ask operators to redesign their network. It asks them to keep a protective RADIUS parameter enabled and to avoid disabling it for compatibility. If a site discovers that it was disabled, the next question should be why.
Maybe an older RADIUS server did not interoperate cleanly. Maybe a template was copied from a previous generation. Maybe someone disabled it during troubleshooting and never restored it. Each explanation points to a different remediation path, but all of them point to the same lesson: authentication security settings need configuration management, not folklore.
Even so, CISA republication changes the practical life of the advisory. It pushes the issue into federal and critical-infrastructure visibility channels, where asset owners, managed security providers, and compliance teams are more likely to catch it. A vendor PDF can be missed. A CISA ICS advisory is harder to ignore.
The affected sectors listed are broad: commercial facilities, energy, food and agriculture, government services and facilities, transportation systems, and water and wastewater. That is a reminder that “industrial” no longer means only smokestacks and substations. Managed switches like these can appear in building automation, pump stations, packaging lines, transit facilities, and distributed infrastructure that looks mundane until it fails.
The global deployment note is equally important. Schneider Electric is headquartered in France, but the product footprint is worldwide. For multinational operators, this should not be handled as a regional exception. It belongs in global configuration baselines and site-assurance checks.
That mix explains why the advisory feels both severe and conditional. The impact can be high if exploited. The path to exploitation is not as simple as scanning the internet for an exposed web service. An attacker needs the right network position and the right RADIUS configuration weakness.
Security programs should be mature enough to hold both facts at once. This is not a reason to shut down lines in panic. It is also not a reason to file the advisory under “default safe” and forget it. Conditional vulnerabilities are exactly the ones that punish organizations with poor asset visibility.
The smart prioritization is to look first at sites where RADIUS is used for switch administration, where management networks are shared with broader IT segments, where remote access vendors have reach into network infrastructure, and where authentication templates were customized for legacy compatibility. Those are the environments where “not vulnerable by default” may be least reassuring.
The painful part is that stricter enforcement can expose stale dependencies. A RADIUS server may support the right behavior while a client does not. A switch may be configurable while an old server profile is not. A firmware upgrade on one side may force a setting change on the other. This is why BlastRADIUS remediation across the industry has sometimes produced login failures, emergency rollbacks, and hurried vendor escalations.
Schneider’s advisory avoids that drama by emphasizing that the safe state is already the default. But industrial operators should still test before making broad changes, especially in remote or redundancy-sensitive environments. If a switch currently has the setting disabled, re-enabling it should be handled through controlled change management, with local access plans and rollback procedures.
The larger goal is not merely to comply with one advisory. It is to reduce compatibility debt around authentication. If a site depends on weakening message integrity to keep old systems functioning, the vulnerability is not the only problem. The architecture is telling you where it is brittle.
For large operators, that distinction is decisive. A spreadsheet saying “Modicon switches checked” is less persuasive than a recurring configuration query tied to an asset inventory. If the relevant MIB value can confirm whether Message Authenticator is enabled, it should be pulled into whatever compliance mechanism the organization already trusts.
Of course, SNMP brings its own hygiene requirements. Read access should be controlled, community strings should not be reused relics from 2009, and SNMPv3 should be preferred where supported. The cure for one weak trust path should not be another weak trust path.
Still, this is an opportunity. Many organizations have struggled to make OT asset management more than a passive inventory exercise. Here is a concrete configuration state tied to a critical advisory, exposed in a machine-readable way, and applicable across affected product families. That is exactly the kind of check that should become routine.
That triad is easy to endorse in a slide deck and harder to execute on a Tuesday afternoon. The practical first step is to identify whether affected switch families exist in the environment. The second is to determine whether RADIUS is used. The third is to verify whether Message Authenticator remains enabled.
From there, the work becomes site-specific. If RADIUS is not used, the immediate CVE path may not apply, but local accounts and management-plane exposure still deserve review. If RADIUS is used and the setting is enabled, document the state and monitor for drift. If the setting is disabled, determine who changed it, why, and what will break when it is restored.
This is also a good moment to revisit remote access. A RADIUS forgery attack needs positioning; remote access paths are often how attackers gain it. VPNs, vendor support tunnels, jump servers, and management VLANs should be reviewed as part of the same risk picture, not as separate compliance chores.
The vulnerability carries a CVSS 3.1 score of 9.0, which is enough to make any security dashboard flash red. But the detail that matters most is quieter: Schneider says the default RADIUS configuration is not vulnerable. The danger appears when the RADIUS Server Message Authenticator option is disabled, creating room for response forgery attacks that could alter Access-Accept, Access-Reject, or Access-Challenge messages.
That distinction is the story. Industrial cybersecurity is often sold as a contest between attackers and exotic zero-days. Here, the risk sits in a familiar administrative seam: legacy protocol behavior, interoperability pressure, and device configurations that may have been changed years ago to make authentication “just work.”
The Vulnerability Is in the Trust Fabric, Not Just the Switch
CVE-2024-3596 is better known in security circles as the BlastRADIUS class of attack, a weakness in how classic RADIUS authentication can be abused when message integrity is not properly enforced. RADIUS has been a workhorse for decades, quietly handling authentication for VPNs, Wi-Fi, switches, routers, and administrative logins. Its longevity is part of the problem: protocols designed for older assumptions do not always age cleanly into hostile, segmented-but-still-connected industrial networks.The relevant failure mode is not that an attacker guesses a password or exploits a web panel. It is that an attacker positioned between a RADIUS client and server may be able to tamper with the authentication conversation when the Message-Authenticator attribute is not required. In practical terms, the attacker aims to transform what should have been one authentication outcome into another.
That is why the Schneider advisory’s wording is so stark. It warns that a valid response could be modified into another response, opening the door to denial of service and loss of confidentiality or integrity for devices connected to the switch. In a conventional IT network, that is serious. In an operational technology environment, where switches often sit close to controllers, human-machine interfaces, drives, meters, and safety-adjacent systems, it becomes a governance problem as much as a network problem.
The affected product families are broad: Connexium Managed Switches, Modicon Managed Switches, and Modicon Redundancy Switches, all listed as affected across all versions. That does not mean every deployed switch is presently exploitable. It means every operator using these product lines should assume the configuration deserves inspection.
“Default Safe” Is Not the Same as “Fleet Safe”
Schneider’s most important sentence is also the easiest one for management to misread: the default RADIUS configuration is not vulnerable. That is good news for freshly installed devices, lab systems, and sites that have never touched the relevant parameter. It is not a clean bill of health for real-world fleets.Industrial networks accumulate exceptions. A switch installed during a line expansion may have been configured by an integrator who is no longer under contract. A RADIUS server migration may have led someone to disable stricter message handling to restore access for a maintenance window. A redundancy switch may have inherited a template copied from a neighboring site, then survived three plant managers and two cybersecurity programs.
The operational question is therefore not, “Are Schneider defaults safe?” It is, “What is actually running in the cabinets?” That question is harder, more expensive, and more politically inconvenient than reading a vendor advisory.
Schneider’s mitigation is specific. For TCSESM-series Connexium switches, administrators should keep the Message Authenticator setting enabled through the CLI command
radius server msgauth or the hmAgentRadiusServerMsgAuth MIB. For MCSESM and MCSESP Modicon managed switches, the relevant CLI path is radius server auth modify msgauth, with hm2AgentRadiusServerMsgAuth exposed through SNMP. The MCSESR redundancy line uses the same radius server auth modify msgauth command and hm2AgentRadiusServerMsgAuth MIB.That level of detail matters because many industrial sites do not patch switches casually. If the mitigation is a configuration validation rather than a firmware replacement, it can be folded into a planned audit, a maintenance window, or an asset-management sweep. But it also removes a common excuse: no one has to wait for a vendor image to confirm whether the dangerous state exists.
RADIUS Became Infrastructure by Being Boring
RADIUS is one of those technologies that became ubiquitous because it disappeared into the background. It lets network devices ask a central server whether a user, service, or device should be allowed in. For administrators, it offers central policy. For auditors, it offers a cleaner trail than local accounts scattered across switches.That bargain worked because RADIUS was “good enough” across many environments. It was lightweight, widely supported, and deeply embedded in network access control designs. It also retained compatibility assumptions that made sense when networks were smaller, more trusted, and less exposed to sophisticated man-in-the-middle attacks.
BlastRADIUS forced the industry to revisit that bargain. The attack family highlighted that deployments lacking proper Message-Authenticator enforcement could be vulnerable even if the surrounding authentication architecture looked mature on paper. The weakness is especially awkward because it does not map neatly to a single vendor. It is a protocol problem expressed through product behavior and configuration choices.
This is where the Schneider advisory becomes more than a Schneider story. Industrial networks are full of equipment that delegates trust to shared services: RADIUS, LDAP, Active Directory, certificate authorities, jump servers, VPN concentrators, and time sources. When one of those trust mechanisms is weakened, the blast radius is measured not only in affected products but in the assumptions built around them.
Industrial Switches Are No Longer Passive Plumbing
It is tempting to think of managed switches as inert infrastructure, the Ethernet equivalent of conduit. That view is obsolete. Modern industrial switches enforce segmentation, expose administrative interfaces, participate in redundancy schemes, support SNMP monitoring, integrate with centralized authentication, and increasingly sit inside cybersecurity architectures that assume the network can make decisions.Schneider’s Modicon and Connexium families exist in that world. These are not consumer routers forgotten under a desk. They are infrastructure pieces used to connect industrial Ethernet devices and provide managed switching features in environments where uptime, determinism, and physical placement matter.
That makes authentication integrity especially important. If administrative access to a switch is mediated through RADIUS, a forged authentication response is not an abstract cryptographic defect. It potentially affects who can log in, who can change configuration, and whether access controls behave as designed.
The advisory lists possible consequences as denial of service and loss of confidentiality or integrity for connected devices. That phrasing is deliberately broad, and operators should resist both panic and complacency. A vulnerable RADIUS exchange does not automatically mean a plant shutdown is imminent. It does mean a security control that many organizations treat as central may be weaker than expected under specific network-positioning conditions.
The Attacker Still Needs Position, but Position Is Not Science Fiction
One reason protocol-level flaws can be underestimated is that they often require an attacker to be on path. That requirement is real. An internet rando cannot magically forge RADIUS responses from across the world unless other network failures have already put them in the communication path.But in industrial environments, “on path” is not a fantasy scenario. Contractors connect laptops. Remote support paths exist. Corporate and plant networks may be segmented in diagrams more cleanly than in switches. Temporary wireless bridges, unmanaged field devices, misconfigured firewalls, and legacy routing decisions all create opportunities for traffic interception or manipulation.
The security industry sometimes talks about on-path attackers as though they are rare apex predators. In practice, on-path access can be the second act of a very ordinary intrusion. Compromise a poorly managed jump host, land on a monitoring server, abuse a flat management VLAN, or pivot through a vendor remote-access appliance, and the once-theoretical position starts to look more attainable.
That is why CISA’s familiar recommendations remain relevant even when they sound generic. Keep control-system devices off the public internet. Put control and safety networks behind firewalls. Separate business networks from operational networks. Use secure remote-access methods and keep those access tools patched. These are not slogans; they are the compensating controls that prevent a protocol weakness from becoming an operational incident.
The Windows Angle Runs Through Identity and NPS
For WindowsForum readers, the Schneider alert may look at first like an industrial hardware bulletin with little connection to Windows. That would be a mistake. In many organizations, Microsoft infrastructure is part of the RADIUS story through Network Policy Server, Active Directory-backed authentication, certificate services, logging pipelines, and the administrative workstations used to manage switches.When RADIUS behavior changes, Windows administrators often feel it. Network Policy Server deployments may need policy review. Authentication logs may become the first signal that a stricter Message-Authenticator requirement has broken a legacy client. Domain groups that grant switch administration rights may suddenly become more sensitive because the path between switch and RADIUS server is under scrutiny.
Microsoft previously issued guidance around managing RADIUS Access-Request behavior associated with CVE-2024-3596, and enterprise administrators have already seen the broader industry effect: vendors tightening RADIUS enforcement, network devices rejecting older exchanges, and once-stable authentication flows failing after security updates. That is the other side of remediation. Fixing protocol trust can break assumptions that were never documented.
The right response is not to disable the protection again and move on. It is to map which switches use RADIUS, which servers answer them, which attributes are required, and which management paths could observe or alter that traffic. If Windows NPS is in the path, it should be treated as part of the industrial identity plane, not merely as a back-office service.
The Most Dangerous Configuration Is the One Nobody Owns
The advisory’s mitigation is operationally straightforward, but ownership may not be. Network teams own switches. OT engineers own uptime. Security teams own risk. Windows administrators may own the RADIUS server. Vendors and integrators may own enough institutional knowledge to make everyone else nervous.That is the governance trap. A setting on a switch can be simple to verify and still difficult to change because no single team feels authorized to touch it. In industrial environments, that hesitation is understandable. A botched switch configuration can affect production, safety monitoring, or remote support.
Still, there is a difference between cautious change control and unmanaged risk. The advisory does not ask operators to redesign their network. It asks them to keep a protective RADIUS parameter enabled and to avoid disabling it for compatibility. If a site discovers that it was disabled, the next question should be why.
Maybe an older RADIUS server did not interoperate cleanly. Maybe a template was copied from a previous generation. Maybe someone disabled it during troubleshooting and never restored it. Each explanation points to a different remediation path, but all of them point to the same lesson: authentication security settings need configuration management, not folklore.
CISA’s Republication Turns a Vendor Notice Into an Asset-Inventory Test
CISA republished Schneider Electric CPCERT’s advisory on June 9, 2026, after Schneider’s original April 14 release. The agency’s conversion note says the industrial control system advisory is a verbatim republication of Schneider’s CSAF advisory, provided to increase visibility. That detail matters because it frames CISA as amplifier rather than original technical author.Even so, CISA republication changes the practical life of the advisory. It pushes the issue into federal and critical-infrastructure visibility channels, where asset owners, managed security providers, and compliance teams are more likely to catch it. A vendor PDF can be missed. A CISA ICS advisory is harder to ignore.
The affected sectors listed are broad: commercial facilities, energy, food and agriculture, government services and facilities, transportation systems, and water and wastewater. That is a reminder that “industrial” no longer means only smokestacks and substations. Managed switches like these can appear in building automation, pump stations, packaging lines, transit facilities, and distributed infrastructure that looks mundane until it fails.
The global deployment note is equally important. Schneider Electric is headquartered in France, but the product footprint is worldwide. For multinational operators, this should not be handled as a regional exception. It belongs in global configuration baselines and site-assurance checks.
A Critical Score With a Conditional Trigger
CVSS 9.0 is a blunt instrument. It communicates urgency, but not likelihood in a particular plant. The vector Schneider reports is network-based, requires no privileges and no user interaction, has high impacts across confidentiality, integrity, and availability, but includes high attack complexity and a changed scope.That mix explains why the advisory feels both severe and conditional. The impact can be high if exploited. The path to exploitation is not as simple as scanning the internet for an exposed web service. An attacker needs the right network position and the right RADIUS configuration weakness.
Security programs should be mature enough to hold both facts at once. This is not a reason to shut down lines in panic. It is also not a reason to file the advisory under “default safe” and forget it. Conditional vulnerabilities are exactly the ones that punish organizations with poor asset visibility.
The smart prioritization is to look first at sites where RADIUS is used for switch administration, where management networks are shared with broader IT segments, where remote access vendors have reach into network infrastructure, and where authentication templates were customized for legacy compatibility. Those are the environments where “not vulnerable by default” may be least reassuring.
Compatibility Debt Always Comes Due
The phrase Message-Authenticator sounds like a small implementation detail, but it represents a larger principle: authentication messages must be protected against tampering, not merely exchanged between systems that know a shared secret. Older RADIUS deployments often relied on assumptions that are now visibly insufficient.The painful part is that stricter enforcement can expose stale dependencies. A RADIUS server may support the right behavior while a client does not. A switch may be configurable while an old server profile is not. A firmware upgrade on one side may force a setting change on the other. This is why BlastRADIUS remediation across the industry has sometimes produced login failures, emergency rollbacks, and hurried vendor escalations.
Schneider’s advisory avoids that drama by emphasizing that the safe state is already the default. But industrial operators should still test before making broad changes, especially in remote or redundancy-sensitive environments. If a switch currently has the setting disabled, re-enabling it should be handled through controlled change management, with local access plans and rollback procedures.
The larger goal is not merely to comply with one advisory. It is to reduce compatibility debt around authentication. If a site depends on weakening message integrity to keep old systems functioning, the vulnerability is not the only problem. The architecture is telling you where it is brittle.
Security Teams Should Treat SNMP as Evidence, Not an Afterthought
Schneider’s mitigation guidance includes both CLI commands and MIB objects, which is more useful than it may appear. CLI validation works for individual devices. SNMP enables broader discovery, monitoring, and compliance checks across fleets.For large operators, that distinction is decisive. A spreadsheet saying “Modicon switches checked” is less persuasive than a recurring configuration query tied to an asset inventory. If the relevant MIB value can confirm whether Message Authenticator is enabled, it should be pulled into whatever compliance mechanism the organization already trusts.
Of course, SNMP brings its own hygiene requirements. Read access should be controlled, community strings should not be reused relics from 2009, and SNMPv3 should be preferred where supported. The cure for one weak trust path should not be another weak trust path.
Still, this is an opportunity. Many organizations have struggled to make OT asset management more than a passive inventory exercise. Here is a concrete configuration state tied to a critical advisory, exposed in a machine-readable way, and applicable across affected product families. That is exactly the kind of check that should become routine.
The Real Remediation Is a Conversation Between IT and OT
The Schneider advisory sits at the intersection of industrial networking, centralized authentication, and enterprise identity. No one team can close that loop alone. OT knows where the switches are and what production risks attach to touching them. IT knows the RADIUS and Windows identity infrastructure. Security knows how to prioritize exposure and validate controls.That triad is easy to endorse in a slide deck and harder to execute on a Tuesday afternoon. The practical first step is to identify whether affected switch families exist in the environment. The second is to determine whether RADIUS is used. The third is to verify whether Message Authenticator remains enabled.
From there, the work becomes site-specific. If RADIUS is not used, the immediate CVE path may not apply, but local accounts and management-plane exposure still deserve review. If RADIUS is used and the setting is enabled, document the state and monitor for drift. If the setting is disabled, determine who changed it, why, and what will break when it is restored.
This is also a good moment to revisit remote access. A RADIUS forgery attack needs positioning; remote access paths are often how attackers gain it. VPNs, vendor support tunnels, jump servers, and management VLANs should be reviewed as part of the same risk picture, not as separate compliance chores.
The Schneider Advisory Is a Small Switch Setting With a Large Operational Shadow
The immediate action is narrow, but the implications are not. Schneider is telling operators to keep Message Authenticator enabled on affected managed switches, while CISA is using its ICS channel to make sure the warning reaches the sectors most likely to depend on them. The advisory should become a configuration-verification task, an identity-infrastructure review, and a reminder that industrial networks inherit the weaknesses of the protocols they standardize on.- All versions of the listed Connexium Managed Switches, Modicon Managed Switches, and Modicon Redundancy Switches are affected when the RADIUS Server Message Authenticator option is disabled.
- Schneider says the default RADIUS configuration is not vulnerable, so the highest-risk systems are likely to be devices with customized or inherited authentication settings.
- Administrators should verify the relevant CLI or SNMP setting on TCSESM, MCSESM, MCSESP, and MCSESR product lines rather than relying on assumptions about defaults.
- Organizations using Microsoft-backed RADIUS through Windows Network Policy Server should treat this as an identity-path issue that spans OT switches and enterprise authentication.
- The exploit scenario depends on network position, which makes segmentation, remote-access control, and management-plane isolation central parts of the mitigation.
- The advisory is best handled through controlled change management, because restoring stricter RADIUS integrity checks can expose undocumented compatibility dependencies.
References
- Primary source: CISA
Published: 2026-06-09T12:00:00+00:00
- Related coverage: cert.europa.eu
- Related coverage: arista.com
