End-of-Train and Head-of-Train Remote Linking Protocol (Update C)

Plan PatchCVSS 8.1ICS-CERT ICSA-25-191-10Jul 10, 2025

SiemensTransportation

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in End-of-Train and Head-of-Train remote linking protocols allows an attacker with network access to send unauthorized brake control commands to these devices. Successful exploitation could cause sudden train stoppage or induce brake failure, disrupting rail operations. The vulnerability affects all versions of the protocol used by multiple manufacturers including Wabtec, Siemens, and DPS Electronics. The protocol is maintained by the Association of American Railroads (AAR) Railroad Electronics Standards Committee. No patch is planned; the AAR is developing replacement equipment and protocols to address this issue.

What this means

What could happen

An attacker with network access to an End-of-Train or Head-of-Train device could send unauthorized brake control commands, causing sudden train stoppage or brake failure and disrupting rail operations.

Who's at risk

Operators of freight and passenger rail systems using End-of-Train or Head-of-Train remote linking devices from Wabtec, Siemens, or DPS Electronics should be aware of this vulnerability. This affects rail yards, locomotive operations, and any rail infrastructure using wireless brake control systems.

How it could be exploited

An attacker must reach the EoT/HoT device over a local network (not remotely over the internet). They can then craft and send brake control commands using the unprotected protocol, overriding legitimate commands and causing the train to stop suddenly or fail to brake properly.

Prerequisites

Network access to the EoT/HoT device (local network only; not exploitable over the internet)
Ability to send messages on the protocol used by the device
No authentication or valid credentials required

no authentication requiredlow complexityno patch availableaffects safety systemshigh impact on critical infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

End-of-Train and Head-of-Train remote linking protocol: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDContact your EoT/HoT device manufacturer (Wabtec, Siemens, or DPS Electronics) for device-specific security guidance and any available mitigations

Mitigations - no patch available

0/3

End-of-Train and Head-of-Train remote linking protocol: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate EoT/HoT devices from business networks using a firewall or air gap

HARDENINGRestrict network access to EoT/HoT devices to authorized personnel and systems only

HARDENINGImplement network segmentation so EoT/HoT devices are not accessible from the internet or untrusted networks

CVEs (1)

CVE-2025-1727

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ea5bffdc-aa63-499b-b3c8-8fd6a858a798

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.