Skip to main content

IoT CVE-2025-1727

| EUVDEUVD-2025-21087 HIGH
Weak Authentication (CWE-1390)
2025-07-10 ics-cert@hq.dhs.gov
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21087
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 23:15 nvd
HIGH 8.1

DescriptionCVE.org

The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.

AnalysisAI

CVE-2025-1727 is a critical vulnerability in RF-based remote linking protocols used for End-of-Train (EoT) and Head-of-Train (HoT/FRED) devices in railway operations. The vulnerability exploits a weak BCH checksum implementation that allows attackers to forge brake control commands using software-defined radios (SDR), potentially disrupting train operations or overwhelming brake systems. This affects railway infrastructure globally, with a CVSS score of 8.1 indicating high severity; active exploitation status and proof-of-concept availability are critical factors that determine immediate priority despite the attack requiring physical/adjacent network proximity.

Technical ContextAI

The vulnerability resides in the RF communication protocol layer used for train consist monitoring and control systems. End-of-Train and Head-of-Train devices rely on Bose-Chaudhuri-Hocquenghem (BCH) error-correcting codes for packet integrity verification. BCH checksums, while useful for detecting transmission errors, are not cryptographically secure and can be mathematically forged by an attacker with knowledge of the checksum algorithm. The root cause maps to CWE-1390 (Weak Authentication), indicating insufficient authentication mechanisms in the RF protocol—specifically, the absence of cryptographic message authentication codes (MAC) or digital signatures. An attacker with access to SDR equipment can analyze captured packets, compute valid BCH checksums for malicious brake command payloads, and transmit forged commands that the EoT/HoT devices will accept as legitimate. This is particularly dangerous because railway brake systems are safety-critical: flooding with brake commands could cause unintended braking, loss of train control, or derailment in severe cases.

RemediationAI

Immediate remediation requires: (1) Firmware updates from device manufacturers that replace BCH checksum validation with cryptographically secure message authentication (HMAC-SHA256 or AES-CMAC); (2) Protocol updates implementing symmetric or asymmetric encryption for RF command channels; (3) Rollout of updated RF receivers that reject unauthenticated brake commands. Short-term mitigations pending patches: (a) Operational security controls—restrict train operations to secured rail yards or main lines with monitored RF environments; (b) RF shielding or frequency-hopping protocols to increase attack difficulty; (c) Enhanced monitoring for anomalous brake command patterns via consist telemetry; (d) Disable remote RF brake control where operationally feasible, reverting to hardwired or verified-secure control channels. Manufacturers should issue security advisories with patch timelines immediately. Regulatory bodies (FRA in US, RSSB in UK, ERA in EU) should coordinate with operators to ensure coordinated deployment. Patches should be backward-compatible where possible to avoid fleet-wide downtimes.

More in IoT

View all
CVE-2025-45988 CRITICAL POC
9.8 Jun 13

A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-29128 CRITICAL POC
10.0 Mar 05

Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.

CVE-2025-63624 CRITICAL POC
9.8 Feb 03

Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the

CVE-2026-25139 CRITICAL POC
9.1 Feb 04

RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure o

CVE-2025-5875 HIGH POC
8.8 Jun 09

A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available

CVE-2025-34023 HIGH POC
8.5 Jun 20

CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote auth

CVE-2025-48466 HIGH POC
8.1 Jun 24

CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.

CVE-2026-27177 HIGH POC
7.2 Feb 18

MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to in

CVE-2025-7503 CRITICAL
10.0 Jul 11

CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affect

CVE-2025-64090 CRITICAL
10.0 Jan 09

Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.

CVE-2026-1633 CRITICAL
10.0 Feb 04

Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0)

CVE-2025-40805 CRITICAL
10.0 Jan 13

An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with sc

Share

CVE-2025-1727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy