CISA Advisory ICSA-26-160-01: Schneider Electric Modicon Switch RADIUS Vulnerability
What OT Security Teams and DoD STIG Auditors Must Do in the Next 30 Days
Published 2026-06-10
# CISA ICSA-26-160-01: Schneider Electric Modicon Switch RADIUS Flaw Demands Immediate DoD STIG Action
CISA has published ICS advisory ICSA-26-160-01, warning that a RADIUS protocol vulnerability affects all versions of Schneider Electric Connexium Managed Switches, Modicon Managed Switches, and Modicon Redundancy Switches — network infrastructure widely deployed across industrial and defense-adjacent environments.
What the Advisory Actually Says
The vulnerability centers on a weakness in the RADIUS authentication protocol as implemented across the entire Modicon/Connexium managed switch product line. An attacker able to position themselves on the network path between the switch and the RADIUS server could forge authentication responses — flipping an Access-Reject into an Access-Accept, or manipulating an Access-Challenge — without legitimate credentials.
The real-world impact is severe for operational technology environments:
- Denial of service against devices connected through the switch
- Loss of confidentiality and integrity across the switch fabric
- Potential unauthorized access to network segments gated by RADIUS authentication
Critically, this affects all firmware versions of the listed product families. There is no "patched release" to simply upgrade to; Schneider Electric's guidance centers on network-layer mitigations and configuration hardening, making this a controls problem, not just a patch problem.
Why DoD STIG Teams Are in the Hot Seat
For organizations operating under DoD STIG requirements, this advisory lands with particular weight. Network infrastructure STIGs — including the Network Infrastructure Policy STIG and relevant switch-specific benchmarks — explicitly require that AAA/RADIUS implementations be hardened and that authentication traffic be protected against interception and manipulation. A RADIUS forgery path directly violates those controls.
Equally important: ACAS (Assured Compliance Assessment Solution) and SCAP-based audits will flag misconfigured or unmitigated RADIUS deployments during the next scheduled scan cycle. If your team cannot demonstrate that compensating controls are in place and documented, you are looking at open CAT I or CAT II findings on your next Plan of Action & Milestones (POA&M).
The advisory's severity rating of 4 out of 5 means this will not be dismissed as a low-priority item during any credible STIG review.
What You Should Do in the Next 7–30 Days
Days 1–7: Identify and inventory. Enumerate every Connexium, Modicon Managed, and Modicon Redundancy Switch in your environment. Cross-reference against network diagrams and your CMDB. Confirm which switches use RADIUS for authentication.
Days 7–14: Apply Schneider Electric's published mitigations. Follow the specific hardening steps referenced in the CSAF file linked within ICSA-26-160-01. Key areas typically include restricting RADIUS traffic to dedicated, isolated management VLANs, enforcing TLS/RADSEC where supported, and disabling RADIUS on segments where it is not operationally required.
Days 14–30: Document compensating controls and update your POA&M. For any switch where full mitigation is not immediately achievable — due to operational constraints or lack of feature support — document an approved compensating control per your AO's guidance. Run an ACAS scan after mitigations are applied to confirm the finding is closed or downgraded. Update STIG checklists (CKLs) in eMASS accordingly.
Continuously: Monitor lateral authentication traffic. A RADIUS forgery attack is often a precursor to lateral movement. Ensure your SIEM is alerting on unexpected RADIUS response patterns and authentication anomalies across the switch layer.
Close This Gap with RDS GoSOC AI — Free for 14 Days
RDS GoSOC AI is purpose-built for exactly this scenario: a time-pressured advisory, a DoD STIG audit on the horizon, and a team that needs to correlate asset inventory, control gaps, and compliance posture fast. Start a 14-day free trial at https://platform.reremrdsgosoc.com/register — every paid feature is unlocked from day one, no credit card required. Inside the platform, the User Guide tab walks you through onboarding step by step, and Sage, the built-in AI assistant, handles setup questions in plain language so your team spends time on remediation, not configuration.