The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding serious vulnerabilities in Veeder-Root’s TLS4B Automatic Tank Gauge System.
Released on October 23, 2025, the alert warns that attackers could exploit these flaws to take control of industrial systems used worldwide, particularly in the energy sector.
Two Critical Vulnerabilities Discovered
Security researchers at Bitsight identified two dangerous vulnerabilities in the TLS4B system. The first vulnerability involves improper neutralization of special elements in commands, which means attackers can inject malicious code into the system.
| CVE ID | Vulnerability Type | Affected Product | CVSS v3.1 Score |
| CVE-2025-58428 | Command Injection (CWE-77) | Veeder-Root TLS4B ATG System | 9.9 |
| CVE-2025-55067 | Integer Overflow/Wraparound (CWE-190) | Veeder-Root TLS4B ATG System | 7.1 |
Using valid credentials, remote attackers can execute system-level commands on the underlying Linux system, potentially gaining full shell access and moving throughout the network undetected.
This vulnerability, tracked as CVE-2025-58428, has been assigned an exceptionally high CVSS score of 9.4 out of 10, indicating severe risk.
The vulnerability is particularly dangerous because it requires relatively low complexity to exploit and is accessible from the internet through the system’s SOAP-based web services interface.
The second vulnerability relates to integer overflow, a technical flaw affecting how the system handles Unix time values.
When the system clock reaches January 19, 2038, it resets to December 13, 1901. This time manipulation can cause authentication failures, disrupt critical system functions like login access and leak detection, and trigger denial-of-service attacks that lock administrators out entirely.
The Veeder-Root TLS4B Automatic Tank Gauge System is deployed worldwide, with particular prevalence in the energy sector. All versions prior to Version 11.A are vulnerable to the command injection flaw. Organizations using older versions remain at immediate risk.
Veeder-Root has released Version 11.A to address the command injection vulnerability (CVE-2025-58428). Organizations should upgrade immediately to this patched version.
For the integer overflow issue (CVE-2025-55067), a permanent fix is still in development. Until it becomes available, Veeder-Root recommends following their network security best practices.
CISA provides additional defensive measures to minimize exploitation risk. Organizations should minimize internet exposure for all control system devices, keeping them isolated behind firewalls and away from business networks.
When remote access is necessary, using Virtual Private Networks (VPNs) with current updates provides additional protection.
According to CISA, no known public exploitation of these vulnerabilities has been reported as of the alert date.
However, given the high severity scores and ease of exploitation, organizations should treat this as urgent. Experts recommend performing impact analysis before deploying any defensive measures to ensure minimal disruption.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
