Blast-RADIUS Vulnerability: Security Advisory

In July 2024, security researchers disclosed a serious flaw in one of enterprise networking’s most foundational protocols. The Blast-RADIUS vulnerability affects the RADIUS protocol, which is commonly used for authentication, authorization, and accounting in enterprise and telecommunication networks. The attack is particularly alarming because of how little it requires from an adversary. A man-in-the-middle attacker between the RADIUS client and server can forge a valid protocol accept message in response to a failed authentication request — gaining access to network devices and services without guessing or brute-forcing passwords or shared secrets.

Blast-RADIUS is a protocol vulnerability, and thus affects all RADIUS implementations using non-EAP authentication methods over UDP. That’s a wide surface area, spanning VPNs, firewalls, switches, and essentially any network access infrastructure built on traditional RADIUS.

LoginTC responded quickly. The latest version of the LoginTC RADIUS Connector (4.0.11) includes several new features that protect organizations against Blast-RADIUS attacks, both in the short term and long term. On the server side, LoginTC RADIUS Connector 4.0.11 ensures that a Message-Authenticator attribute is always set when sending back RADIUS responses to RADIUS clients — a critical mitigation recommended by the researchers themselves. Administrators running version 4.0.11 or later can also configure their endpoints to require Message-Authenticator attributes from clients, hardening both sides of the authentication exchange.

LoginTC’s response was recognized at the highest level of the disclosure process. LoginTC’s blog post is listed in the official vendor and media coverage section of blastradius.fail — the researchers’ own advisory site — alongside responses from major players like Palo Alto Networks, Cloudflare, Arista Networks, and SUSE. Being included in that list reflects that LoginTC’s guidance met the standard expected of security vendors responding to a coordinated vulnerability disclosure.

LoginTC has since taken the response a step further by adding RadSec (RADIUS over TLS) support to the RADIUS Connector, introducing full TLS encryption for RADIUS traffic. This addresses the root architectural weakness that made Blast-RADIUS possible in the first place, and positions LoginTC customers well against future protocol-level threats.

Start your free trial today. No credit card required.

Sign up and Go

By continuing to use our website, you acknowledge the use of cookies. Privacy Policy Close