Major railroad-signaling vulnerability could lead to train disruptions

A newly disclosed vulnerability in train braking systems could let hackers remotely stop trains with relatively simple and inexpensive hardware, potentially causing derailments.

The high-severity vulnerability, tracked as CVE-2025-1727, involves weak authentication in the protocol used to send what are known as end-of-train and head-of-train packets, radio signals that command a rail vehicle’s end-of-train device to stop the vehicle.

“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said in a July 10 advisory about the vulnerability, which it described as being relatively simple to exploit.

The Association of American Railroads, an industry trade group that manages a committee responsible for maintaining the flawed protocol, is developing new systems to replace the vulnerable ones, according to the CISA advisory.

But those new systems won’t be ready until 2027 at the earliest, according to Neil Smith, one of two researchers who independently discovered the vulnerability and reported it to CISA. Eric Reuter, the other researcher credited with its discovery, first presented a talk about it at the DEF CON hacker conference in 2018.

In a thread on X, Smith claimed that he first reported the flaw to the Department of Homeland Security in 2012 but that the AAR “would only acknowledge the vulnerability if we could prove it IRL.” He said that after he started discussing the flaw again with CISA last year, the AAR and rail equipment vendors dismissed the seriousness of the issue.

“AAR’s Director of Information Security decided this was not that big of a deal, and they were not going to do anything about it as the devices and protocol were ‘end of life’ which is ironic because they are still in use today,” Smith wrote. “AAR walked away from talking to CISA multiple times.”

CISA and the AAR did not immediately respond to a request for comment.

Dangerous flaw

The newly revealed vulnerability potentially represents one of the most serious cyber threats to rail infrastructure ever discovered. By sending fraudulent brake signals to a train, hackers could derail or damage it, imperiling its passengers and cargo, and wreak havoc on the U.S.’s precisely timed freight and passenger rail system.

In the U.S., roughly 140,000 miles of track transport 1.5 billion tons of goods every year. Railroads are also vital to military logistics: Hackers believed to be working for the Russian government have repeatedly struck rail infrastructure in Ukraine, as well as in Poland, a key hub for Western aid bound for Ukraine. The highly disruptive Polish attack relied on a cheap device that emitted RF waves, a method that also works for the new vulnerability.

Daniel dos Santos, senior director and head of research at the operational technology cybersecurity firm Forescout, said the vulnerability was serious for two reasons: it can be exploited wirelessly, something he noted has happened before, and it affects a protocol that will be difficult to fix. He urged companies to identify their potential exposure and deploy intrusion-detection software that can spot data packets originating outside a trusted network.

The flaw “highlights the critical need for cybersecurity on railways,” dos Santos said via email.

The Transportation Security Administration, which is responsible for helping to protect the rail industry from cyber threats and natural disasters, issued its first cyber regulations in 2022. Since then, the TSA has tried to work with the industry to shore up its digital defenses, but experts consider that effort to be nascent compared to the work underway in higher-profile sectors like finance and energy.

The TSA did not respond to a request for comment.