A critical vulnerability in a decades-old wireless protocol used by freight trains across North America allows attackers to remotely issue emergency brake commands, potentially halting trains or causing brake system failures.
The flaw, assigned CVE-2025-1727, remained unresolved for over a decade and is now formally acknowledged by CISA in a new advisory.
The issue affects all versions of the End-of-Train (EoT) and Head-of-Train (HoT) remote linking protocol, used to connect a train's locomotive to the rear-mounted FRED (Flashing Rear-End Device) via radio frequency. The protocol's authentication relies only on a BCH checksum, making it possible for attackers with a software-defined radio (SDR) to forge control packets and trigger emergency braking at the tail end of a train.
The vulnerability was first reported in 2012 by hardware security researcher Neil Smith, who identified that for as little as $500 in gear, a threat actor could interfere with brake operations. Smith's disclosure was initially dismissed by the Association of American Railroads (AAR), which controls the protocol via its Railroad Electronics Standards Committee (RESC). Another researcher, Eric Reuter, independently confirmed the issue two years later and presented his findings publicly, yet little action followed until Smith reignited the conversation in 2024.
The risk is not theoretical. While no exploitation has yet been reported in the U.S., the attack model is similar to a 2023 rail disruption in Poland, where unauthorized RF signals stopped trains using unencrypted emergency brake commands. With growing geopolitical tensions and the protocol's broad deployment across 75,000+ devices in the US, Canada, and Mexico, the likelihood of misuse is no longer negligible.
The vulnerable system is widely used by North American freight operators, including those deploying equipment from major vendors like Hitachi Rail STS USA, Wabtec, and Siemens. EoT devices are crucial for collecting telemetry and issuing braking commands from the rear, especially vital for long-haul freight trains spanning over two miles.
CISA scored the issue 8.1 (CVSS v3), citing low attack complexity, no need for authentication, and a potentially high impact on safety and availability. The advisory notes that although the attack cannot be performed remotely over the internet, RF-based attacks can be launched from several miles away, or even farther, with an elevated line of sight, raising concerns about aerial attacks or sabotage by well-positioned adversaries.
Following renewed pressure, AAR announced in May 2025 that it will begin replacing the outdated RF protocol with a more secure standard, IEEE 802.16t Direct Peer-to-Peer (DPP), starting in 2026. This transition will involve the complete replacement of tens of thousands of FRED units, with Smith estimating it could take 5–7 years and cost upwards of $7–10 billion.
Until then, CISA and AAR recommend limiting physical and wireless exposure of EoT/HoT devices, deploying detection systems to log anomalous braking commands, and transitioning away from legacy devices as soon as replacements become available.
Update – CISA has sent a statement to CyberInsider to clarify some points about the flaw's exploitability risk.
“The End-of-Train (EOT) and Head-of-Train (HOT) vulnerability has been understood and monitored by rail sector stakeholders for over a decade. To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespread exploitation—particularly without a large, distributed presence in the U.S.
While the vulnerability remains technically significant, CISA has been working with industry partners to drive mitigation strategies. Fixing this issue requires changes to a standards-enforced protocol, and that work is currently underway. CISA continues to encourage manufacturers to adopt Secure by Design principles to reduce the attack surface and ensure resilient communications systems for operators.” – CISA's Acting Executive Assistant Director for Cybersecurity, Chris Butera
Leave a Reply