CVE-2024-3596

CRITICAL

FreeRADIUS < 3.0.27 - RADIUS Response Forgery via MD5 Chosen-Prefix Collision

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-3596. PoCs published by alperenugurlu.

AI-analyzed exploit summary This repository contains a Python script that detects CVE-2024-3596 by analyzing RADIUS/UDP traffic for MD5 collisions. It captures Access-Request packets and checks for vulnerabilities but does not exploit them.

Description

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

Exploits (1)

nomisec SCANNER 7 stars
by alperenugurlu · poc
https://github.com/alperenugurlu/CVE-2024-3596-Detector

This repository contains a Python script that detects CVE-2024-3596 by analyzing RADIUS/UDP traffic for MD5 collisions. It captures Access-Request packets and checks for vulnerabilities but does not exploit them.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: RADIUS protocol implementations
Auth required
Prerequisites: Shared secret · Network interface access · RADIUS dictionary file
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (13)

Core 13
Core References
Third Party Advisory, US Government Resource
https://www.kb.cert.org/vuls/id/456537
Technical Description
https://www.blastradius.fail/

Scores

CVSS v3 9.0
EPSS 0.1486
EPSS Percentile 96.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-354 CWE-924
Status published
Products (5)
broadcom/brocade_sannav
broadcom/fabric_operating_system
freeradius/freeradius < 3.0.27
IETF/RFC 2865
sonicwall/sonicos
Published Jul 09, 2024
Tracked Since Feb 18, 2026