Critical Train Protocol Flaw Allows Remote Brake Control, Risks Derailment
10 months ago
- #Transportation
- #Vulnerability
- #Cybersecurity
- CVSS v4 score of 7.2 for a vulnerability in End-of-Train and Head-of-Train remote linking protocol.
- Weak authentication allows attackers to send brake control commands via software-defined radio, risking operational disruption or brake failure.
- Affects all versions of the protocol; CVE-2025-1727 assigned with CVSS v3 base score of 8.1.
- Critical infrastructure sector impacted: Transportation Systems, primarily in the United States.
- Mitigations include minimizing network exposure, using firewalls, secure remote access methods like VPNs, and contacting device manufacturers for updates.
- No known public exploitation reported; vulnerability not remotely exploitable.
- AAR working on new equipment and protocols to address the vulnerability.