Per the National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD), the RADIUS protocol "under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature."

In this scenario, attackers can escalate privileges to network devices and services without resorting to brute-force attacks like credential stuffing. A Blast-RADIUS site was created by the university researchers and Big Tech organizations that discovered the flaw and includes extensive information on the vulnerability and mitigation methods, plus some valuable questions and answers.

To lightly summarize, the threat model requires an attacker to have gained network access, then acts as a "man-in-the-middle" between the RADIUS client and RADIUS server resulting in the ability to read, intercept, modify, or stop inbound and outbound packets. If proxies are being used, the attack could occur between any hop.