[Article updated to add CISA quote at paragraphs 5, 6 and 7]
A critical cybersecurity vulnerability affecting American train systems has gone unaddressed for over a decade, despite early warnings dating back to 2012. The issue, tied to End-of-Train (EoT) modules that transmit telemetry data wirelessly from the rear to the front of freight trains, was first identified by hardware security researcher Neils in 2012. He shared details last week on X, formerly Twitter, noting the risk emerged when software-defined radios (SDRs) became more accessible, allowing attackers to potentially intercept or spoof EoT communications.
Yet for years, the Association of American Railroads (AAR) refused to act on the findings. As recently as 2024, the AAR’s Director of Information Security downplayed the threat, arguing the devices were nearing end of life and didn’t warrant urgent attention. The attacker could remotely take control of a train’s brake controller from a significant distance using hardware costing less than US$500. This access could enable brake failure, potentially causing derailments, or allow for a shutdown of the entire national railway system.
Frustrated by the inaction, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a formal advisory just days ago, forcing the AAR to finally acknowledge the issue publicly. The group announced a plan to replace vulnerable systems in April, but implementation is crawling. The earliest deployment date is projected for 2027.
The delay raises questions about risk management across critical infrastructure sectors and why it took public pressure for a systemic vulnerability to get any traction.
“The End-of-Train (EOT) and Head-of-Train (HOT) vulnerability has been understood and monitored by rail sector stakeholders for over a decade,” Chris Butera, CISA’s acting executive assistant director for cybersecurity, wrote in an emailed statement. “To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespread exploitation—particularly without a large, distributed presence in the U.S.”
Butera noted that while the vulnerability remains technically significant, CISA has been working with industry partners to drive mitigation strategies.
He added that “Fixing this issue requires changes to a standards-enforced protocol, and that work is currently underway. CISA continues to encourage manufacturers to adopt Secure by Design principles to reduce the attack surface and ensure resilient communications systems for operators.”
In the advisory, CISA identified a ‘weak authentication’ vulnerability in the remote linking protocol used between End-of-Train and Head-of-Train devices, affecting all versions currently deployed across U.S. rail systems. “Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train, which may lead to a disruption of operations, or induce brake failure.”
The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software-defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.
The vulnerability has been assigned CVE-2025-1727. It carries a CVSS v3 base score of 8.1, indicating high severity. Under the newer CVSS v4 system, it has been rated with a base score of 7.2.
Neil Smith and Eric Reuter reported this vulnerability to CISA.
The agency added that the AAR is pursuing new equipment and protocols that should replace traditional End-of-Train and Head-of-Train devices. The standards committees involved in these updates are aware of the vulnerability and are investigating mitigating solutions.
The AAR Railroad Electronics Standards Committee (RESC) maintains this protocol, which is used by multiple manufacturers across the industry, including Hitachi Rail STS USA, Wabtec, Siemens, and others.
CISA called upon users of EoT/HoT devices to contact their device manufacturers with questions. The advisory follows recent estimates that around 25,000 freight locomotives will require Head-of-Train (HOT) system upgrades, while roughly 45,000 EOT devices are currently in use across the national fleet.
“I reported this in 2012 when I was very active with ICS-CERT, doing embedded industrial control security research. ICS-CERT was scrappy and new, but were a great group that did everything they could to help resolve critical infrastructure vulnerabilities,” Neils wrote in his X thread, adding that “2012 to 2016 was a stalemate between ICS-CERT and the American Association of Railways (AAR). Everything is just ‘theoretical’ when you’re reversing a protocol in a lab using simulated radio traffic, and the AAR would only acknowledge the vulnerability if we could prove it IRL.”
In 2016, Neils published an article in the Boston Review detailing how the Federal Railroad Administration (FRA) did not operate its own test track facility, and how the Association of American Railroads (AAR) routinely blocked security-related testing that could expose vulnerabilities. The AAR later responded with a dismissive rebuttal in Fortune magazine. “I burned out on this for a while after that article. I felt like this was never going to see the light of day, and I was not going to win against big corp lobbying.”
In 2018, Eric Reuter independently found the same vulnerability, “but only gave a talk at defcon on reverse engineering the protocol. I’d highly recommend checking out PyEOT if you want specifics on RE’ing this vulnerability.”
Neils added that “In 2024, I noticed that ICS-CERT had re-orged a few times and I decided to open a new ticket with them to see what ever happened to this? Did they just give up?”
“No one really knows what happened to it, BUT they were 100% behind getting it right this time. We went back and forth with vendors and the AAR for a few months trying to get the right parties involved to address this issue,” he mentioned. “AAR’s Director of Information Security decided this was not that big of a deal, and they were not going to do anything about it as the devices and protocol were ‘end of life’ which is ironic because they are still in use today. AAR walked away from talking to CISA multiple times.”
He tweeted that “CISA finally agreed with me that publication would be the only remaining option to pressure AAR to fix this issue. And it kinda worked. In April, they announced 802.16t will replace the EOT/HOT vulnerable protocol. When will this happen by? 2027 at best.”
Earlier this year, following reports of a major cyberattack on Ukrzaliznytsia, Ukraine’s state-owned railway operator, Kyiv’s central railway station was unusually crowded on a Monday morning. Long lines formed as dozens of travelers waited to buy tickets for domestic and international routes. The cyberattack disrupted digital services, including the mobile app used for ticket purchases, though train schedules remained unaffected, according to a statement from Ukrzaliznytsia.
