CVE-2025-1727 (GCVE-0-2025-1727)

Vulnerability from cvelistv5 – Published: 2025-07-10 22:59 – Updated: 2025-07-11 14:06
VLAI?
Title
End-of-Train and Head-of-Train Remote Linking Protocol Weak Authentication
Summary
The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.
Severity ?
8.1 (High)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
7.2 (High)
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CWE
Assigner
References
Impacted products
Vendor Product Version
End-of-Train and Head-of-Train remote linking protocol End-of-Train and Head-of-Train remote linking protocol Affected: All versions
Create a notification for this product.
Credits
Neil Smith and Eric Reuter reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1727",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T14:06:22.369634Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-11T14:06:28.251Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "End-of-Train and Head-of-Train remote linking protocol",
          "vendor": "End-of-Train and Head-of-Train remote linking protocol",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Neil Smith and Eric Reuter reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The protocol used for remote linking over RF for End-of-Train and \nHead-of-Train (also known as a FRED) relies on a BCH checksum for packet\n creation. It is possible to create these EoT and HoT packets with a \nsoftware defined radio and issue brake control commands to the EoT \ndevice, disrupting operations or potentially overwhelming the brake \nsystems."
            }
          ],
          "value": "The protocol used for remote linking over RF for End-of-Train and \nHead-of-Train (also known as a FRED) relies on a BCH checksum for packet\n creation. It is possible to create these EoT and HoT packets with a \nsoftware defined radio and issue brake control commands to the EoT \ndevice, disrupting operations or potentially overwhelming the brake \nsystems."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1390",
              "description": "CWE-1390",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T22:59:34.802Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-10"
        }
      ],
      "source": {
        "advisory": "ICSA-25-191-10",
        "discovery": "EXTERNAL"
      },
      "title": "End-of-Train and Head-of-Train Remote Linking Protocol Weak Authentication",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Association of American Railroads (AAR) is pursuing new equipment\n and protocols which should replace traditional End-of-Train and \nHead-of-Train devices. The standards committees involved in these \nupdates are aware of the vulnerability and are investigating mitigating \nsolutions.\u003c/p\u003e\n\u003cp\u003eThe AAR Railroad Electronics Standards Committee (RESC) maintains \nthis protocol which is used by multiple manufacturers across the \nindustry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. \nUsers of EoT/HoT devices are recommended to contact their own device \nmanufacturers with questions.\u003c/p\u003e"
            }
          ],
          "value": "The Association of American Railroads (AAR) is pursuing new equipment\n and protocols which should replace traditional End-of-Train and \nHead-of-Train devices. The standards committees involved in these \nupdates are aware of the vulnerability and are investigating mitigating \nsolutions.\n\n\nThe AAR Railroad Electronics Standards Committee (RESC) maintains \nthis protocol which is used by multiple manufacturers across the \nindustry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. \nUsers of EoT/HoT devices are recommended to contact their own device \nmanufacturers with questions."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-1727",
    "datePublished": "2025-07-10T22:59:34.802Z",
    "dateReserved": "2025-02-26T20:19:11.460Z",
    "dateUpdated": "2025-07-11T14:06:28.251Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-1727\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-07-10T23:15:27.600\",\"lastModified\":\"2025-07-15T13:14:49.980\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The protocol used for remote linking over RF for End-of-Train and \\nHead-of-Train (also known as a FRED) relies on a BCH checksum for packet\\n creation. It is possible to create these EoT and HoT packets with a \\nsoftware defined radio and issue brake control commands to the EoT \\ndevice, disrupting operations or potentially overwhelming the brake \\nsystems.\"},{\"lang\":\"es\",\"value\":\"El protocolo utilizado para la conexi\u00f3n remota por RF para End-of-Train and Head-of-Train (tambi\u00e9n conocido como FRED) se basa en una suma de comprobaci\u00f3n BCH para la creaci\u00f3n de paquetes. Es posible crear estos paquetes EoT y HoT con una radio definida por software y emitir comandos de control de freno al dispositivo EoT, lo que podr\u00eda interrumpir las operaciones o saturar los sistemas de freno.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1390\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-10\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1727\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-11T14:06:22.369634Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-11T14:06:25.740Z\"}}], \"cna\": {\"title\": \"End-of-Train and Head-of-Train Remote Linking Protocol Weak Authentication\", \"source\": {\"advisory\": \"ICSA-25-191-10\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Neil Smith and Eric Reuter reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"End-of-Train and Head-of-Train remote linking protocol\", \"product\": \"End-of-Train and Head-of-Train remote linking protocol\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-10\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"The Association of American Railroads (AAR) is pursuing new equipment\\n and protocols which should replace traditional End-of-Train and \\nHead-of-Train devices. The standards committees involved in these \\nupdates are aware of the vulnerability and are investigating mitigating \\nsolutions.\\n\\n\\nThe AAR Railroad Electronics Standards Committee (RESC) maintains \\nthis protocol which is used by multiple manufacturers across the \\nindustry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. \\nUsers of EoT/HoT devices are recommended to contact their own device \\nmanufacturers with questions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe Association of American Railroads (AAR) is pursuing new equipment\\n and protocols which should replace traditional End-of-Train and \\nHead-of-Train devices. The standards committees involved in these \\nupdates are aware of the vulnerability and are investigating mitigating \\nsolutions.\u003c/p\u003e\\n\u003cp\u003eThe AAR Railroad Electronics Standards Committee (RESC) maintains \\nthis protocol which is used by multiple manufacturers across the \\nindustry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. \\nUsers of EoT/HoT devices are recommended to contact their own device \\nmanufacturers with questions.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The protocol used for remote linking over RF for End-of-Train and \\nHead-of-Train (also known as a FRED) relies on a BCH checksum for packet\\n creation. It is possible to create these EoT and HoT packets with a \\nsoftware defined radio and issue brake control commands to the EoT \\ndevice, disrupting operations or potentially overwhelming the brake \\nsystems.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The protocol used for remote linking over RF for End-of-Train and \\nHead-of-Train (also known as a FRED) relies on a BCH checksum for packet\\n creation. It is possible to create these EoT and HoT packets with a \\nsoftware defined radio and issue brake control commands to the EoT \\ndevice, disrupting operations or potentially overwhelming the brake \\nsystems.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1390\", \"description\": \"CWE-1390\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-07-10T22:59:34.802Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-1727\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-11T14:06:28.251Z\", \"dateReserved\": \"2025-02-26T20:19:11.460Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-07-10T22:59:34.802Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.