A critical security vulnerability in America's railway system allows attackers to remotely hijack train brake controls using inexpensive radio equipment, potentially causing derailments or shutting down the entire national rail network. The flaw affects all End-of-Train (EOT) and Head-of-Train (HOT) devices currently deployed across US freight and passenger rail operations.
The vulnerability, designated CVE-2025-1727 with a CVSS score of 8.1, stems from weak authentication protocols in the wireless communication system between train cars and locomotive cabs.
These "FRED" devices (Flashing Red End Device) were mandated by Congress in the 1980s to replace traditional cabooses but rely on outdated security measures from that era.
Security researcher Neil Smith discovered the flaw in 2012 when he noticed the radio transmissions used a simple BCH checksum for packet validation rather than proper encryption.
"The RF link is peak 1980s security," Smith explained in a detailed Twitter thread. "Why bother with security when it is just illegal to use the frequencies that the EOT/HOT operate on?"
The vulnerability allows attackers to craft malicious brake control commands using software-defined radio equipment costing under $500. An attacker could potentially cause sudden train stoppages, induce brake failures leading to derailments, or create widespread disruption across rail networks. The threat extends beyond freight operations to passenger rail services that use the same vulnerable protocols.
What makes this particularly concerning is the 12-year delay between discovery and public disclosure. Smith initially reported the vulnerability to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 2012, but faced resistance from the Association of American Railroads (AAR), which dismissed the threat as "theoretical" without real-world proof.
Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here's the story: https://t.co/MKRFSOa3XY
— neils (@midwestneil) July 11, 2025
The AAR's Director of Information Security reportedly considered the issue insignificant, arguing the devices were "end of life" despite their continued widespread use. Only after CISA threatened public disclosure did the AAR announce in April 2025 that new 802.16t protocols would replace the vulnerable systems by 2027 at the earliest.
CISA's advisory warns that successful exploitation could allow attackers to "send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train, which may lead to a disruption of operations, or induce brake failure." The agency emphasizes that affected systems should be isolated from internet access and protected behind firewalls.
The vulnerability affects equipment from major manufacturers, including Hitachi Rail STS USA, Wabtec, and Siemens. While no active exploitation has been reported, researchers strongly warn against attempting to test these vulnerabilities due to severe safety risks.
The research highlights critical gaps in railway cybersecurity infrastructure that support America's $80 billion freight rail industry, which transports 40% of the nation's long-distance freight. The delayed response also raises questions about industry accountability in addressing security vulnerabilities that could impact public safety and national infrastructure.