Unaddressed security flaw on U.S. trains for 13 years allows anyone to trigger the brakes on the final carriage; operators finally take action to rectify the problem now.
American trains continue to operate with a critical vulnerability that was first discovered in 2012, and as of July 11, 2025, it remains unpatched. This vulnerability, known as CVE-2025-1727, allows hackers to take control over the brakes of American trains, potentially posing a significant risk to passenger safety.
The American Association of Railways (AAR) initially dismissed the vulnerability as a theoretical issue when it was first discovered. However, the institution refused to act on the vulnerability until the Cybersecurity & Infrastructure Security Agency (CISA) published an advisory a few days ago, due to the continued inaction of the AAR.
The End-of-Train (EoT) module on American trains reports telemetry data wirelessly, and the Head-of-Train (HoT) can issue a brake command to the EoT through this system. Anyone with the appropriate hardware (available for less than $500) and know-how can exploit this vulnerability to issue a brake command without the train driver's knowledge.
The AAR's Director of Information Security stated that the vulnerable devices are nearing their end of life by 2024. Despite this, the AAR announced an update for the vulnerability in April 2025, with the institution that has scheduled the current update for the protection of End-of-Train Modules on American trains being the Federal Railroad Administration (FRA) in 2027.
However, the implementation of the solution is progressing slowly, with 2027 being the earliest projected year of deployment. The Federal Railway Authority (FRA) lacks a test track facility, and the AAR has not permitted any testing due to security concerns on their property.
The CISA officially published an advisory regarding the unresolved vulnerability in 2025 due to the AAR's continued inaction. The software-defined radios (SDR) started becoming more popular when the vulnerability was first discovered in 2012, and the vulnerability has been a persistent concern since then.
As the vulnerability persists, the safety of American trains and their passengers remains at risk. The AAR must prioritise the resolution of this issue to ensure the security of the rail network and the protection of those who rely on it.
