An update is available for ISA 2006 with SP1 or less users who uses Radius OTP to authenticate backend web servers. The vulnerability allows an attacker to assume an admin without keying in the correct password (authentication bypass).
Please update your issue of ISA immediately to avoid any possible attacks.
Source MS Article snippet of the update:
"This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation."
Source article: http://www.microsoft.com/technet/security/bulletin/MS09-031.mspx