Critical RADIUS MD5 Vulnerability Exposes Hitachi Energy Infrastructure — 2025 Analysis
Executive Summary
In December 2025, Hitachi Energy disclosed a critical vulnerability (CVE-2024-3596) impacting their AFS, AFR, and AFF series infrastructure hardware, widely deployed in the global energy sector. The issue centers on improper enforcement of message integrity in RADIUS communications, allowing attackers in a local network to exploit a chosen-prefix collision attack against the MD5 response authenticator. This could let a malicious actor forge RADIUS authentication responses — potentially leading to unauthorized network access, disruption of critical systems, or exfiltration of sensitive data. The flaw carries a CVSS score of 9.0 (critical), but exploitation requires high attack complexity.
This case highlights the continued risks posed by legacy authentication protocols and cryptographic weaknesses within operational technology environments. As adversaries increasingly target energy and critical infrastructure supply chains, prioritizing secure authentication and traffic integrity mechanisms is vital to maintaining resilience and regulatory compliance.
Why This Matters Now
Legacy cryptographic protocols like MD5 remain embedded in critical infrastructure, exposing organizations to advanced adversaries capable of exploiting integrity weaknesses. With no known public exploits yet, proactive remediation is imperative — especially as energy companies confront growing regulatory pressure and sophisticated supply chain threats.
Attack Path Analysis
An attacker exploited the improper enforcement of message integrity in the RADIUS protocol (CVE-2024-3596) to tamper with authentication messages on critical infrastructure switches, enabling unauthorized access to internal management functions. Gaining a foothold, the attacker leveraged weak segmentation and east-west traffic controls for lateral movement within the OT network. Malicious commands or configuration changes were coordinated via tampered management channels, keeping C2 hidden in east-west flows. Sensitive device data or credentials could then be exfiltrated using unmonitored outbound or internal traffic. Ultimately, the adversary may have disrupted switch operations, impacting critical energy sector systems and data integrity.
Kill Chain Progression
Initial Compromise
Description
Exploited the RADIUS message integrity flaw via manipulation of authentication responses, granting unauthorized access to affected network switches.
Related CVEs
CVE-2024-3596
CVSS 9The RADIUS protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against the MD5 response authenticator signature.
Affected Products:
Hitachi Energy AFS 660-B/C/S – all
Hitachi Energy AFS 665-B/S – all
Hitachi Energy AFS 670 v2.0 – all
Hitachi Energy AFS 650 – all
Hitachi Energy AFS 655 – all
Hitachi Energy AFS 670 – all
Hitachi Energy AFS 675 – all
Hitachi Energy AFS 677 – all
Hitachi Energy AFR 677 – all
Hitachi Energy AFF 660 – all
Hitachi Energy AFF 665 – all
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Adversary-in-the-Middle: Network Device Authentication
Application Layer Protocol: Web Protocols
Modify Authentication Process: Network Authentication Protocol
Data Manipulation: Stored Data Manipulation
Endpoint Denial of Service
Container Administration Command
Network Sniffing
Account Access Removal
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authentication and Message Integrity Mechanisms
Control ID: 8.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9(1)
CISA ZTMM 2.0 – Strong Authentication and Credential Assurance
Control ID: Identity Pillar: Authentication Protection
NIS2 Directive – Security of Network and Information Systems
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical energy infrastructure faces severe RADIUS authentication bypass risks in Hitachi Energy switching equipment, potentially enabling unauthorized access to power grid control systems.
Oil/Energy/Solar/Greentech
Energy sector operations vulnerable to RADIUS protocol attacks on critical switching infrastructure, compromising authentication integrity and operational availability across renewable and traditional energy systems.
Industrial Automation
Manufacturing and process control systems using affected Hitachi Energy switches face authentication forgery attacks, potentially disrupting automated operations and compromising industrial network security.
Government Administration
Government facilities and critical infrastructure networks utilizing affected energy switching equipment face high-severity authentication bypass vulnerabilities requiring immediate RADIUS server configuration updates.
Sources
- Hitachi Energy AFS, AFR and AFF Serieshttps://www.cisa.gov/news-events/ics-advisories/icsa-25-350-03Verified
- CVE-2024-3596 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2024-3596Verified
- CVE-2024-3596 Recordhttps://www.cve.org/CVERecord?id=CVE-2024-3596Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust controls—such as encrypted management traffic, microsegmentation, robust east-west visibility, inline threat prevention, and tightened egress policy—would have restricted unauthorized access, contained lateral movement, and detected or blocked malicious behaviors at various points in the kill chain.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents interception or manipulation of authentication messages.
Control: Zero Trust Segmentation
Mitigation: Restricts administrative access only to trusted identities and zones.
Control: East-West Traffic Security
Mitigation: Halts unauthorized east-west movements across the OT environment.
Control: Threat Detection & Anomaly Response
Mitigation: Detects anomalous traffic and remote control activities in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized or suspicious outbound and inter-network data transfers.
Limits blast radius and prevents widespread operational disruption.
Impact at a Glance
Affected Business Functions
- Network Authentication Services
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of authentication credentials and unauthorized access to network resources.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately enable strong encryption (MACsec/IPsec) and message authenticity for all network device management traffic.
- • Implement Zero Trust Segmentation and identity-based policies to restrict access to critical device management planes.
- • Enforce robust east-west traffic controls and microsegmentation within OT and cloud-connected environments.
- • Deploy real-time threat detection and anomaly response focused on lateral movement and management plane misuse.
- • Centralize egress policy enforcement and monitor for suspicious outbound or internal data transfers to rapidly detect and block exfiltration attempts.
