End-of-Train and Head-of-Train Remote Linking Protocol ◆ CISA
CISA is still kicking. They stand behind the researchers doing old-school full disclosure when all else fails. This is actually pretty great of them.
CVE-2025-1727(link is external) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H(link is external)).
Attack vector = adjacent is of course doing the heavy lifting in reducing CVSS scores. It’s almost like CVSS wasn’t designed for ICS..
The Association of American Railroads (AAR) is pursuing new equipment and protocols which should replace traditional End-of-Train and Head-of-Train devices. The standards committees involved in these updates are aware of the vulnerability and are investigating mitigating solutions.
This investigation must be pretty thorough if it’s still ongoing after 12 years.
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. - Locate control system networks and remote devices behind firewalls and isolating them from business networks. - When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
If you somehow put this on the Internet too then (1) it’s time to hire security folks, (2) you are absolutely already owned.
For everyone else – why is this useful advice? This is exploited via RF, no?
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
500 meters away is remote exploitation when you’re talking about a vuln that will probably be used by nation states only.
