Railroad Vulnerability Will Let Hackers Attack Trains

Uploaded on 2025-07-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel

A newly disclosed vulnerability in train braking systems could let hackers remotely stop trains with relatively simple and inexpensive hardware, potentially causing derailments, according to the US Cybersecurity & Infrastructure Security Agency (CISA).

The high-severity vulnerability, tracked as CVE-2025-1727, involves weak authentication in the protocol used to send what are known as end-of-train and head-of-train packets, radio signals that command a rail vehicle’s end-of-train device to stop the vehicle.

“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said in an advisory that the vulnerability was relatively simple to exploit.

The Association of American Railroads, an industry trade group that manages a committee responsible for maintaining the flawed protocol, is developing new systems to replace the vulnerable ones, according to the CISA advisory. However, these new systems won’t be ready until 2027 at the earliest, according to Neil Smith, one of two researchers who independently discovered the vulnerability and reported it to CISA. Indeed, the vulnerabilty was first reported on at the DEF CON hacker conference in 2018 when Eric Reuter, the other researcher credited with its discovery first talked about it

Today, the  vulnerability is recognised as potentially represents one of the most serious cyber threats to rail infrastructure ever discovered. By sending fraudulent brake signals to a train, hackers could derail or damage it, endangering passengers and cargo, and disrupt the US’s complex freight and passenger rail system.

The US has around 140,000 miles of track which transport over a billion tons of goods annually, and railroads are also vital to military logistics. Hackers believed to be working for the Russian government have hit rail lin Ukraine and Poland, which is a key hub for Western aid bound for Ukraine. 

The US Transportation Security Administration, the federal agency responsible for helping to protect the rail industry from cyber threats and natural disasters, issued its first cyber regulations in 2022. Since then, the TSA has tried to work with the industry to improve digital defences, but so far without success. 

CISA  |   Trains.com  |  Cybersecurity Dive  |   Neil Smith  |   Eric Reuter  |   404Media  |

Image: Ideogram

You Might Also Read: 

Poland’s Train Network Disrupted:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Gambling Websites Under Attack
How CIOs Can Deliver Successful AI Implementations In 2025  »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CERT.at

CERT.at

CERT.at is the Austrian national Computer Emergency Response Team.

Aptive Consulting

Aptive Consulting

Aptive is a cyber security consultancy providing Penetration Testing and Vulnerability Assessment services.

CloudLayar

CloudLayar

CloudLayar is a cloud-based website firewall for protecting your website against online threats.

Pradeo

Pradeo

Pradeo Security offers a complete, automatic and seamless protection to mobile devices and applications, aligned with your organization security policy while preserving business agility.

Me Learning

Me Learning

Me Learning provides engaging, informative and clearly explained learning materials for complex and challenging professional environments in areas including GDPR and Information Governance.

Barbara IoT

Barbara IoT

Barbara is an industrial device platform specifically designed for IoT deployments.

Flipside

Flipside

Information Security training provider specialized in personalized training and security awareness campaigns.

Swiss It Security Group

Swiss It Security Group

Swiss It Security Group offers clients complete IT security concepts based on innovative solutions and technology, with a focus on protection, detection and defence.

PlexTrac

PlexTrac

PlexTrac is a cybersecurity reporting and workflow management platform that supercharges security programs, making them more effective, efficient, and proactive.

Coralogix

Coralogix

Coralogix are rebuilding the path to observability using a real-time streaming analytics pipeline that provides monitoring, visualization, and alerting capabilities without the burden of indexing.

Ridge Security

Ridge Security

Ridge Security enables enterprise and web application teams, ISVs, governments, education, DevOps, anyone responsible for ensuring software security to affordably and efficiently test their systems.

Dope Security

Dope Security

Dope Security is a fly-direct Secure Web Gateway that eliminates the data center stopover architecture required by legacy providers, instead performing security directly on the endpoint.

Probity

Probity

Probity Inc. is a certified software development and systems engineering company, providing support to federal government and national defense related clients.

Questex Asia Total Security Conference

Questex Asia Total Security Conference

Questex Asia’s Total Security Conferences is one of the industry’s most prestigious and engaging forums for the region's top information security leaders and business decision-makers.

Rydal Group

Rydal Group

Rydal Group is an award-winning, fully pledged communications & managed IT, Security and Energy provider supporting over 1,500 businesses across the UK.

Kiwa

Kiwa

Kiwa’s core business lies in activities in Testing, Inspection and Certification (TIC), Training and Consultancy.