RADIUS/UDP vulnerable to improved MD5 collision attack

This report presents the Blast-RADIUS attack: an improved MD5 chosen-prefix collision exploit that enables a MitM with access to RADIUS/UDP traffic to forge Response Authenticators and escalate to administrative access on routers and switches. The authors describe the attack flow (using Proxy-State to inject collision gibberish), performance improvements making collisions practical in minutes, coordinated disclosure (CVE-2024-3596), and mitigations including migrating to RADIUS-over-TLS (RADSEC) or requiring HMAC-based Message-Authenticator attributes.