Pierluigi Paganini July 15, 2025

A 20-year-old flaw in End-of-Train and Head-of-Train systems could let hackers trigger emergency braking, finally getting proper attention.

US CISA has warned about a critical flaw, tracked as CVE-2025-1727, in the radio-based linking protocol between End-of-Train (EoT) and Head-of-Train (HoT) systems.

An End-of-Train (EoT) device, also known as a Flashing Rear End Device (FRED), is a wireless system attached to the last car of a freight train. An EoT device monitors and transmits key data to the locomotive, enables remote emergency braking, and marks the train’s rear with a flashing light.

These systems, used in freight trains to relay data and apply the rear brakes, lack encryption and authentication. Attackers could exploit this vulnerability by sending crafted radio packets via software-defined radios, potentially issuing unauthorized brake commands and compromising train safety.

“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure.” reads the CISA’s advisory.

CISA labeled the flaw as a WEAK AUTHENTICATION CWE-1390. The EoT/HoT remote RF linking protocol uses a BCH checksum, allowing attackers with a software-defined radio to forge packets and send brake commands, risking disruption or brake system overload.

T”he protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation.” states CISA. “It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.”

The researchers Neil Smith and Eric Reuter reported the vulnerability, which has yet to be patched.

“Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched.” Neil Smith wrote on X.

Smith explained that in the 1980s, the caboose was replaced by the End-of-Train (EoT) device or FRED, which wirelessly communicates train telemetry and can receive brake commands. The RF protocol it uses is outdated, relying only on a simple BCH checksum and no real security, under the assumption that FCC regulations would prevent misuse.

The researcher first reported the vulnerability in 2012 after detecting the signal with an RTL-SDR and recognizing the protocol’s structure. However, efforts to get the American Association of Railroads (AAR) and the Federal Railroad Administration (FRA) to act were stalled for years, with AAR refusing to acknowledge the issue unless proven in a real-world scenario.

Though another researcher, Eric Reuter, independently discovered the flaw in 2018, only in 2024 did the case gain traction again with renewed support from CISA. AAR still downplayed the threat, claiming the system was “end of life,” despite its continued use, including in passenger trains.

Eventually, under pressure, it was announced that the vulnerable protocol would be replaced with IEEE 802.16t by 2027. The risk remains severe: an attacker using a $500 radio setup could trigger train brake failures or derailments from a distance, posing national safety risks. The researcher warns against trying this, as it could seriously injure or kill people.

CISA’s advisory states there’s no evidence of active exploitation of the EoT/HoT vulnerability. The standards committee is seeking mitigations, and the AAR is working on replacing the outdated devices and protocols with new equipment.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cisa)