CISA Warns: Critical Veeder-Root TLS4B RCE (CVE-2025-58428) Exposes Tank Gauge Systems to Command Injection

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert for two high-severity vulnerabilities affecting the Veeder-Root TLS4B Automatic Tank Gauge (ATG) System, widely used in fuel storage and monitoring facilities across the energy sector. Successful exploitation could allow attackers to gain remote shell access, execute system-level commands, disrupt critical operations, and trigger denial-of-service (DoS) conditions.

CISA confirmed that the most severe flaw, CVE-2025-58428, is a command injection vulnerability impacting versions of the TLS4B system prior to Version 11.A.

According to the advisory, “The TLS4B ATG system’s SOAP-based interface is vulnerable due to its accessibility through the web services handler. This vulnerability enables remote attackers with valid credentials to execute system-level commands on the underlying Linux system.”

This flaw allows an authenticated attacker to perform remote command execution, gain full shell access, and move laterally within the network, potentially compromising additional systems connected to the same environment.

CISA has assigned a CVSS v3.1 base score of 9.9, classifying it as critical, and warns that exploitation could lead to total control over the device. “Successful exploitation of these vulnerabilities could allow attackers to execute system-level commands, gain full shell access, achieve remote command execution, move laterally within the network, trigger a denial of service condition, cause administrative lockout, and disrupt core system functionalities,” the agency stated.

A second vulnerability, CVE-2025-55067, rated 7.1 (High), concerns an integer overflow or wraparound condition tied to the system’s handling of Unix time values approaching the 2038 epoch rollover.

The advisory explains, “When the system clock reaches January 19, 2038, it resets to December 13, 1901, causing authentication failures and disrupting core system functionalities such as login access, history visibility, and leak detection termination.”

Attackers could exploit this logic flaw by manipulating the system clock, creating a denial-of-service (DoS) scenario that results in administrative lockout, corrupted log entries, and malfunctioning operational timers.

For CVE-2025-58428, Veeder-Root has released an update, urging all users to upgrade the TLS4B ATG system to Version 11.A.

For CVE-2025-55067, no patch is currently available. However, Veeder-Root has acknowledged the issue and committed to releasing a fix in a future update. In the meantime, the vendor advises implementing strict network segmentation and defensive measures.

Related Posts:

• Critical Vulnerabilities in Automated Tank Gauge Systems Threaten Global Infrastructure
• Apache ActiveMQ Remote Code Execution Vulnerability
• Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
• Volexity: Indian APT hacker organization Patchwork target US think tanks