The server logs looked clean. They lied.
A critical Radius zero day vulnerability is now being used in the wild. It exploits a flaw in the authentication flow of some RADIUS protocol implementations. Attackers can bypass credentials, escalate privileges, and move laterally inside a network without triggering standard alerts. This is not theoretical. Working exploits have been confirmed.
The Radius zero day vulnerability targets outdated or improperly patched RADIUS servers. It can be triggered remotely, often with no valid username or password. Vulnerable endpoints respond as if authentication has succeeded, handing over access to protected systems. In some cases, the flaw can be chained with other network protocol weaknesses to create full compromise.
Operators relying on RADIUS for VPNs, network switches, Wi-Fi controllers, and identity gateways face the highest exposure. Systems that have not applied vendor patches or mitigations are at risk of silent breach. Standard log review may fail to detect the intrusion, as the attack does not always leave clear traces in authentication records.
The technical root lies in how some RADIUS servers parse and validate incoming Access-Request packets. Malformed attributes can bypass PAP, CHAP, or EAP checks, tricking the server into responding with Access-Accept. When integrated with TACACS+ or LDAP backends, the exploit can propagate deeper into the authentication chain, unlocking administrative control.
Mitigation steps must happen immediately. Audit your infrastructure for any RADIUS servers in use. Identify vendor advisories and apply all security patches. If patches are not available for your version, disable affected services or restrict access to known IP ranges. Monitor for anomalous Access-Accept events in logs, even if user identities appear valid. Deploy intrusion detection rules to catch malformed RADIUS packets.
Attackers move fast when a zero day drops. Waiting for a full incident report is a mistake. By the time you read the headlines, the probing has already started.
Test your systems now. See how hoop.dev can spin up a live environment in minutes for safe simulation and verification before the real exploit finds you.