The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark advisory highlighting two severe vulnerabilities in Veeder-Root’s TLS4B Automatic Tank Gauge System, a critical tool used in fuel storage and management across the energy sector.
These flaws, if exploited, could enable attackers to run arbitrary system-level commands on affected devices, potentially leading to widespread disruptions in critical infrastructure.
The primary vulnerability has a CVSS v4 score of 9.4, making it highly exploitable remotely and low-complexity, especially for those with basic credentials.
Veeder-Root, a U.S.-based company with global deployments, urges immediate upgrades to mitigate these risks, as reported by researcher Pedro Umbelino of Bitsight.
The vulnerabilities stem from flaws in the system’s handling of commands and time values, exposing Linux-based consoles to manipulation.
Discovered in systems deployed worldwide for monitoring underground storage tanks, they underscore ongoing challenges in securing industrial control systems (ICS) against sophisticated threats.
CISA emphasizes that these issues affect energy operations, where downtime could cascade into fuel supply interruptions or safety hazards.
Vulnerability Breakdown
The TLS4B system, versions prior to 11.A, suffers from a command injection flaw and an integer overflow related to the 2038 Unix epoch problem.
The command injection (CWE-77) arises in the SOAP-based web services interface, allowing authenticated remote attackers to inject malicious elements and execute Linux shell commands.
This could grant full system access, enabling data theft or further network compromise.
A secondary integer overflow (CWE-190) mishandles time values beyond the 2038 rollover, resetting the clock to 1901 and causing authentication failures, log corruption, and halted leak detection.
Attackers could exploit this for denial-of-service (DoS) by tampering with system time, locking out administrators, and disrupting operations.
| CVE ID | Description | Affected Products | CVSS v3.1 Score (Vector) | CVSS v4 Score (Vector) |
|---|---|---|---|---|
| CVE-2025-58428 | Command Injection (CWE-77) via SOAP interface; enables RCE and shell access. | TLS4B (prior to 11.A) | 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) | 9.4 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) |
| CVE-2025-55067 | Integer Overflow (CWE-190) in Unix time handling; triggers DoS and functional disruptions. | TLS4B (prior to 11.A) | 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) | 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N) |
Mitigations
Exploitation could yield remote command execution, lateral movement, administrative lockouts, and DoS conditions, severely impacting energy infrastructure reliability.
With low barriers to entry requiring only valid credentials, these flaws heighten risks for unpatched systems.
Veeder-Root recommends upgrading to TLS4B version 11.A for the command injection fix; for the overflow issue, a patch is in development, so users should follow network security best practices like isolating devices and securing ports.
CISA advises minimizing internet exposure, deploying firewalls, and using VPNs for remote access while conducting thorough risk assessments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
