Vulnerability that Stops a Running Train ◆ Cervello
CVE-2025-1727 Exposed: Everything you should know
🚨 A Wake-Up Call for Railway Cybersecurity 🚨
This week, a vulnerability more than a decade in the making — discovered by Neil Smith and Eric Reuter, and formally disclosed by Cybersecurity & Infrastructure Security Agency (CISA) — has finally been made public, affecting virtually every train in the U.S. and Canada that uses the industry-standard End-of-Train / Head-of-Train (EoT/HoT) wireless braking system.
CVE-2025-1727 reveals a critical design flaw: the EoT/HoT linking protocol — which sends emergency brake commands over a radio channel — has no cryptographic authentication. Instead, it relies on a BCH checksum meant to detect accidental errors, not intentional forgery.
That means anyone with a software-defined radio (SDR), basic protocol knowledge, and proximity can craft a fake emergency brake command and bring a train to a halt. It doesn’t require insider access, malware, or zero-days — just an unauthenticated RF command and a clear line of sight.
Twitter Embed
·
Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here’s the story: Show more
wetw0rk
@wetw0rk7
Perhaps one of the most badass CVE’s I’ve ever seen from @midwestneil
https://cisa.gov/news-events/ics-advisories/icsa-25-191-10…
Copy link
There’s no patch. This isn’t a software bug — it’s a flaw baked into the protocol’s DNA. The long-term fix is a full migration to a secure replacement, likely based on IEEE 802.16t, a modern wireless protocol with built-in authentication. The current industry plan targets 2027, but anyone familiar with critical infrastructure knows: it’ll take longer in practice.
And if this still feels theoretical to you, it shouldn’t.
In August 2023, Poland was hit by a coordinated radio-based attack in which saboteurs used basic transmitters to send emergency-stop signals over an unauthenticated rail frequency. Over twenty trains were disrupted, including freight and passenger traffic. No malware. No intrusion. Just an insecure protocol and an open airwave. ( BBC)
So no — this isn’t a “could happen” scenario. It’s already happened. And CVE-2025-1727 shows that the same underlying weakness exists here, in North America, right now.
For those working in railway, OT, or transportation infrastructure, this isn’t just about one protocol or one sector. We’ve seen this same pattern in SCADA, in telemetry links, in industrial control systems: unauthenticated protocols that were never designed for hostile environments, still running in the open.
Now is the time to:– Reevaluate assumptions about protocol trust
– Assess RF exposure around key routes and control nodes
– Train teams to recognize and respond to unexpected anomalies
– Push for modernization where possible, even before the new protocol is mandated
Because when systems are designed for safety but not security, they become blind to intentional misuse. And in environments where trust is assumed but never verified, protection can quickly turn into exposure.
Safety doesn’t mean security.
Critical Vulnerability in Train Braking Protocol Exposes Rail Networks in North America | Cervello
Follow us to receive updates
Twitter Widget Iframe
