Cyber Posture

CVE-2025-1727

High

Published: 10 July 2025

Published
10 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0012 30.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1727 is a high-severity Weak Authentication (CWE-1390) vulnerability in Cisa (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SC-40 (Wireless Link Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-40 Wireless Link Protection good match
prevent

Implements security safeguards such as cryptographic protections on RF wireless links between EoT and HoT devices to prevent packet forgery using software-defined radios.

SC-8 Transmission Confidentiality and Integrity good match
prevent

Protects the integrity of RF transmissions, directly mitigating the bypass of weak BCH checksums to forge unauthorized brake control packets.

IA-3 Device Identification and Authentication good match
prevent

Requires mutual device identification and authentication for EoT and HoT communications, blocking forged packets from unauthorized adjacent transmitters.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Vulnerability enables packet forgery over RF remote link between train devices, directly facilitating exploitation of the remote signaling service to inject unauthorized commands.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio…

more

and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.

Deeper analysisAI

CVE-2025-1727 is a vulnerability in the RF protocol used for remote linking between End-of-Train (EoT) and Head-of-Train (HoT, also known as FRED) devices. The protocol relies on a BCH checksum for packet creation, which can be bypassed to forge packets. This issue, associated with CWE-1390, affects these rail signaling components and was published on 2025-07-10 with a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

An attacker with adjacent physical proximity can exploit this vulnerability using a software-defined radio to craft malicious EoT and HoT packets. No privileges or user interaction are required, enabling low-complexity attacks that issue unauthorized brake control commands to the EoT device. Successful exploitation can disrupt train operations or overwhelm brake systems, achieving high impacts on integrity and availability.

Mitigation details are provided in the CISA ICS Advisory ICSA-25-191-10, available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-10.

Details

CWE(s)
CWE-1390

Affected Products

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-4924Shared CWE-1390
CVE-2024-52541Shared CWE-1390
CVE-2025-12870Shared CWE-1390
CVE-2025-1293Shared CWE-1390
CVE-2025-15595Shared CWE-1390
CVE-2024-13239Shared CWE-1390
CVE-2025-26343Shared CWE-1390
CVE-2025-12871Shared CWE-1390
CVE-2023-53894Shared CWE-1390
CVE-2025-40554Shared CWE-1390

References