Train packets will not be ready for implementation until 2027.
Attacks exploiting a high-severity flaw impacting U.S. train braking systems were noted by the CISA to potentially result in sudden remote train stoppages that could ultimately lead to derailments.
Tracked as CVE-2025-1727, Cybersecurity Dive reports that while new systems for sending end-of-train and head-of-train packets meant to replace the vulnerable instances are already being developed by the Association of American Railroads, such systems will only be ready for implementation by 2027.
Acting CISA Executive Assistant Director for Cybersecurity Chris Butera acknowledged the rail sector's knowledge of the "technically significant" issue, which was noted to be challenging to exploit due to extensive protocol knowledge, specialised equipment, and physical rail line access requirements.
Such a development comes amid the
Transportation Security Administration's ongoing efforts to strengthen the rail industry's cybersecurity defences.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
