CISA Warns Decades-Old Flaw Lets Hackers Trigger US Train Brakes

The US Cybersecurity and Infrastructure Security Agency has issued an advisory on CVE-2025-1727, a decades-old flaw that allows anyone with a software-defined radio costing less than $500 to send false brake commands to freight and passenger trains. The weakness affects the wireless link between End-of-Train devices—installed since the 1980s as a caboose replacement—and the locomotive’s Head-of-Train unit, which was never encrypted or authenticated. Researchers first flagged the problem in 2012, but the rail sector dismissed it as theoretical until CISA’s public warning last week. Security specialists say an attacker positioned near the track—or using a drone-mounted transmitter—could remotely stop a train, risking derailments or network-wide disruption. CISA rates the bug’s severity at 8.1 out of 10; no malicious incidents have been confirmed so far. After renewed federal pressure, the Association of American Railroads agreed this year to replace roughly 25,000 locomotives and 45,000 rear-end units. Hardware upgrades will begin in 2026, with full deployment unlikely before 2027, leaving much of the nation’s rolling stock exposed in the interim. CISA says it is working with operators on short-term mitigations such as stronger trackside access controls and segmented onboard networks.