20-year-old Vulnerability in Radio Remote Linking Protocol Let Hackers Control Train Brakes

CISA has issued a critical advisory warning about a severe vulnerability in railway communication systems that could allow attackers to control train brakes remotely. 

The vulnerability, assigned CVE-2025-1727, affects End-of-Train and Head-of-Train remote linking protocols used across the United States transportation infrastructure.

Key Takeaways
1. CVE-2025-1727 affecting all End-of-Train/Head-of-Train protocols with CVSS v4 score of 7.2.
2. Weak BCH checksum authentication allows attackers to use software-defined radio to forge brake control packets.
3. Successful exploitation enables unauthorized brake commands, causing sudden train stops or brake failures.
4. Mitigation includes network isolation, firewall protection, secure VPN access, and manufacturer coordination for protocol updates.

FRED Protocol Vulnerability

The vulnerability, categorized under CWE-1390 for weak authentication, has been assigned a CVSS v4 base score of 7.2 and a CVSS v3 score of 8.1, indicating high severity. 

The CVSS v4 vector string (AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H) reveals that the attack requires adjacent network access but has low complexity and no privileges required.

The vulnerability affects all versions of the End-of-Train and Head-of-Train remote linking protocol, commonly known as FRED (Flashing Rear End Device). 

This protocol is maintained by the Association of American Railroads (AAR) Railroad Electronics Standards Committee (RESC) and is used by multiple manufacturers, including Hitachi Rail STS USA, Wabtec, and Siemens.

Technical details reveal that the security flaw stems from the protocol’s reliance on a BCH checksum for packet creation and authentication. 

Researchers Neil Smith and Eric Reuter discovered that attackers can exploit this weakness using software-defined radio (SDR) technology to create malicious End-of-Train (EoT) and Head-of-Train (HoT) packets.

Successful exploitation could allow attackers to send unauthorized brake control commands to end-of-train devices, potentially causing sudden train stoppages that disrupt operations or induce brake system failures. 

The vulnerability operates over radio frequency (RF) communications, making it particularly concerning for railway infrastructure security.

The alert classifies this as an Industrial Control System vulnerability with low attack complexity but significant potential impact on transportation systems operations.

Mitigations

CISA recommends several defensive measures to minimize exploitation risks. Organizations should ensure control system devices are not accessible from the internet, implement proper network segmentation with firewalls, and use secure remote access methods like Virtual Private Networks (VPNs).

The Association of American Railroads is actively pursuing new equipment and protocols to replace traditional End-of-Train and Head-of-Train devices. 

Standards committees are investigating mitigating solutions, with manufacturers being advised to contact their device suppliers for specific guidance.

CISA emphasizes that no known public exploitation targeting this vulnerability has been reported, and the vulnerability is not remotely exploitable. 

However, the agency encourages organizations to implement recommended cybersecurity strategies for the proactive defense of Industrial Control Systems (ICS) assets and report any suspected malicious activity through established procedures.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now