Search criteria
1 vulnerability by End-of-Train and Head-of-Train remote linking protocol
CVE-2025-1727 (GCVE-0-2025-1727)
Vulnerability from cvelistv5 ā Published: 2025-07-10 22:59 ā Updated: 2025-07-11 14:06
VLAI?
Title
End-of-Train and Head-of-Train Remote Linking Protocol Weak Authentication
Summary
The protocol used for remote linking over RF for End-of-Train and
Head-of-Train (also known as a FRED) relies on a BCH checksum for packet
creation. It is possible to create these EoT and HoT packets with a
software defined radio and issue brake control commands to the EoT
device, disrupting operations or potentially overwhelming the brake
systems.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| End-of-Train and Head-of-Train remote linking protocol | End-of-Train and Head-of-Train remote linking protocol |
Affected:
All versions
|
Credits
Neil Smith and Eric Reuter reported this vulnerability to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T14:06:22.369634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:06:28.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "End-of-Train and Head-of-Train remote linking protocol",
"vendor": "End-of-Train and Head-of-Train remote linking protocol",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Neil Smith and Eric Reuter reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The protocol used for remote linking over RF for End-of-Train and \nHead-of-Train (also known as a FRED) relies on a BCH checksum for packet\n creation. It is possible to create these EoT and HoT packets with a \nsoftware defined radio and issue brake control commands to the EoT \ndevice, disrupting operations or potentially overwhelming the brake \nsystems."
}
],
"value": "The protocol used for remote linking over RF for End-of-Train and \nHead-of-Train (also known as a FRED) relies on a BCH checksum for packet\n creation. It is possible to create these EoT and HoT packets with a \nsoftware defined radio and issue brake control commands to the EoT \ndevice, disrupting operations or potentially overwhelming the brake \nsystems."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1390",
"description": "CWE-1390",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T22:59:34.802Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-10"
}
],
"source": {
"advisory": "ICSA-25-191-10",
"discovery": "EXTERNAL"
},
"title": "End-of-Train and Head-of-Train Remote Linking Protocol Weak Authentication",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Association of American Railroads (AAR) is pursuing new equipment\n and protocols which should replace traditional End-of-Train and \nHead-of-Train devices. The standards committees involved in these \nupdates are aware of the vulnerability and are investigating mitigating \nsolutions.\u003c/p\u003e\n\u003cp\u003eThe AAR Railroad Electronics Standards Committee (RESC) maintains \nthis protocol which is used by multiple manufacturers across the \nindustry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. \nUsers of EoT/HoT devices are recommended to contact their own device \nmanufacturers with questions.\u003c/p\u003e"
}
],
"value": "The Association of American Railroads (AAR) is pursuing new equipment\n and protocols which should replace traditional End-of-Train and \nHead-of-Train devices. The standards committees involved in these \nupdates are aware of the vulnerability and are investigating mitigating \nsolutions.\n\n\nThe AAR Railroad Electronics Standards Committee (RESC) maintains \nthis protocol which is used by multiple manufacturers across the \nindustry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. \nUsers of EoT/HoT devices are recommended to contact their own device \nmanufacturers with questions."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-1727",
"datePublished": "2025-07-10T22:59:34.802Z",
"dateReserved": "2025-02-26T20:19:11.460Z",
"dateUpdated": "2025-07-11T14:06:28.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}