RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
https://securityaffairs.com/165641/security/palo-alto-networks-critical-bug-expedition.html
https://www.cisa.gov/news-events/ics-advisories/icsa-24-193-05
https://www.theregister.com/2024/07/10/radius_critical_vulnerability/?&web_view=true
https://www.theregister.com/2024/07/10/radius_critical_vulnerability/
https://blog.cloudflare.com/radius-udp-vulnerable-md5-attack
https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf
https://datatracker.ietf.org/doc/html/rfc2865
https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/