The Cybersecurity and Infrastructure Security Agency (CISA) has issued a grave warning about a critical vulnerability affects railroad communication systems across the US.
The flaw, designated as CVE-2025-1727, can potentially enable bad actors to control train brakes remotely (radio-proximity, not global internet).
This vulnerability focuses on the End-of-Train and Head-of-Train protocols, collectively known as FRED.
These systems link trains in movement. This vulnerability stems from insecure authentication within the protocol. Attackers can exploit this by using software-defined radio to spoof brake control packets.
If exploited, the consequences could be dire. Unauthorized commands might cause sudden stops or brake failures. Such disruptions threaten safety and logistics. The attack requires only nearby network access and low technical skill. No privileges are needed.
The flaw affects all versions of the protocol, which is maintained by the American Railroads’ standards body. A slew of manufacturers, including Hitachi, Wabtec, and Siemens, use this protocol. The main issue is reliance on a BCH checksum, a weak form of authentication.
Researchers Neil Smith and Eric Reuter found the problem. They say the vulnerability operates over radio frequencies, making it particularly insidious. Exploitation could be swift and no doubt, disruptive.
CISA recommends measures to defend against this threat. Isolate control systems from the internet. Use firewalls and network segmentation. Employ secure VPNs when remote access is necessary. The industry is working on new protocols to replace the flawed system.
Strengthen Defences Now
So far, there have been no reports of active exploitation. CISA emphasizes that the vulnerability is not remotely exploitable at this time. Still, organizations should act now. Strengthen defenses before an attack happens.
Railroads face a challenge. Their safety depends on vigilance. The threat is real. The response must be swift. The rails run on more than steel. They run on security as well.
CISA says entities should perform proper impact analysis and risk assessment prior to deploying defensive measures.
The Agency has provided a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. It also encourages firms to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Any entity that observes suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
At this time, no known public exploitation specifically targeting this vulnerability has been reported to CISA. The vulnerability is not exploitable remotely.
Don’t Wait For Someone Else to Find Them First
Jamie Akhtar, CEO and Co-founder of CyberSmart, says: “Experts have been warning for years about the dangers posed by IoT devices within critical national infrastructure (CNI), and this story is a chilling example of those warnings made real.”
Akhtar says it’s been clear for some time that CNI across the world is often poorly defended and failing even the most basic security controls (in this case, a twenty-year-old vulnerability), putting all of us at risk. “We echo CISA’s recommendations that all CNI providers should be using rigorous access controls, properly segment networks, and ensure control system devices cannot be hacked via the internet at a minimum.”
What’s more, Akhtar says this should serve as a warning to other CNI providers to regularly check existing systems for vulnerabilities. “Don’t wait for someone else to find them first.”
Anna Collard, SVP of Content Strategy and Evangelist at KnowBe4, says this vulnerability is a reminder about the technical debt in critical infrastructure. “As digital systems are layered onto legacy Operational Technology (OT) environments, vulnerabilities that were once obscure might become high-impact threats and that cybersecurity is not only about protecting data, but also about safeguarding physical systems, public safety, and national resilience.”
She says it shows the urgent need for robust OT security strategies, regular risk assessments, and coordinated efforts between governments, private industry, and transport operators.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.