We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Vulnerability Allows Hackers To Control U.S. Train Brake Systems

Vulnerability Allows Hackers To Control U.S. Train Brake Systems
Author Image Andrea Miliani
Andrea Miliani Published on July 18, 2025 Cybersecurity Researcher

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on July 10, warning about a vulnerability in the key train system that could allow hackers to send brake control commands remotely and cause significant disruption. The vulnerability was first reported in 2012.

According to CISA’s report, the vulnerability, designated CVE-2025-1727, affected all versions of the End-of-Train (EoT) and Head-of-Train (HoT) remote linking protocol, allowing malicious actors to manipulate trains’ brake systems using radio transmissions.

“The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation,” states the document. “ It is possible to create these EoT and HoT packets with a software-defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.”

CISA explained that experts are currently working on mitigations and that the Association of American Railroads (AAR) is looking for new equipment to replace the traditional devices. The agency credited cybersecurity experts Neil Smith and Eric Reuter as the first to report the vulnerability.

According to The Register, Smith reported the issue to the U.S. government over 10 years ago, in 2012. The expert shared several posts on the social media platform X explaining more about the vulnerability, its risks, and how he discovered it.

“So, how bad is this? You could remotely take control over a Train's brake controller from a very long distance away, using hardware that costs sub $500,” wrote Smith. “You could induce brake failure leading to derailments, or you could shut down the entire national railway system.”

Smith added that publicly acknowledging the vulnerability was intended to pressure the AAR into taking action. He also predicts that the brake systems will be replaced by 2027.

CISA’s advisory was issued just days after other transportation services worldwide were targeted by cyberattacks. The FBI recently warned about the international hacking group Scattered Spider targeting airlines and travelers.

About the Author

Andrea is a seasoned tech journalist with a growing passion for cybersecurity, covering cyberattacks, AI breakthroughs, and the latest trends shaping the future of technology.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address