CISA Warns of Critical Flaws in Global Fuel Gauge Systems, Risking Infrastructure Disruption

CISA Issues Alert for Critical Vulnerabilities in Veeder-Root Fuel Gauge Systems Used in Global Energy Sector

CRITICAL
October 28, 2025
5m read
Industrial Control SystemsVulnerabilityPatch Management

Related Entities

Products & Tech

TLS4B Automatic Tank Gauge SystemLinux

CVE Identifiers

CVE-2025-58428
CRITICAL
CVSS:9.9
CVEDetails.com CVE.org
CVE-2025-55067
HIGH
CVSS:7.1
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1210Initial Access

Exploitation of Remote Services

T1059Execution

Command and Scripting Interpreter

T0819Impact

Denial of Service

T0886Impact

Manipulation of View

Full Report

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory highlighting two severe vulnerabilities in Veeder-Root's TLS4B Automatic Tank Gauge (ATG) System, a critical component used worldwide in the energy sector to monitor fuel storage tanks. The most critical of these flaws, CVE-2025-58428, is a command injection vulnerability rated 9.9 on the CVSS scale. It could allow a remote attacker with valid credentials to gain full control of the industrial control system (ICS), creating risks of fuel supply disruption, inaccurate inventory, and potential safety hazards. A second flaw, CVE-2025-55067, is an integer overflow issue tied to the Y2038 epoch rollover that could lead to a denial-of-service. Veeder-Root has released a patch for the critical command injection flaw, and CISA is urging all affected organizations to take immediate action.

Vulnerability Details

CVE-2025-58428: Command Injection (CVSS 9.9 - Critical)

This vulnerability, discovered by researchers at Bitsight, exists in the SOAP-based web services interface of the TLS4B system. An authenticated attacker can send a specially crafted request to inject and execute arbitrary commands on the underlying Linux operating system with root privileges. The low complexity of exploitation, combined with the potential for full system takeover, contributes to its near-maximum severity score. A successful exploit could allow an attacker to manipulate fuel level readings, disable leak detection alarms, or disrupt fuel dispensing operations.

CVE-2025-55067: Integer Overflow (CVSS 7.1 - High)

This flaw is a manifestation of the 'Year 2038 problem,' where systems using 32-bit signed integers to store Unix time will experience an overflow on January 19, 2038. When the system clock reaches this date, it will reset to December 13, 1901. This time manipulation can cause critical functions to fail, including authentication mechanisms and leak detection algorithms. It can also be triggered prematurely by an attacker to induce a denial-of-service (DoS) condition, potentially locking administrators out of the system.

Affected Systems

  • CVE-2025-58428: All versions of the Veeder-Root TLS4B Automatic Tank Gauge System prior to Version 11.A.
  • CVE-2025-55067: All versions of the Veeder-Root TLS4B Automatic Tank Gauge System. A patch is still in development.

These systems are deployed globally at gas stations, airports, and other facilities that manage large quantities of fuel.

Exploitation Status

There is no known public exploitation of these vulnerabilities at this time. However, given their severity and the criticality of the affected systems, they are attractive targets for both cybercriminals and nation-state actors.

Impact Assessment

Compromise of a TLS4B ATG system could have significant consequences:

  • Operational Disruption: Attackers could halt fuel dispensing or manipulate inventory data, causing supply chain disruptions.
  • Financial Loss: Inaccurate readings could lead to theft or mismanagement of fuel, a valuable commodity.
  • Safety and Environmental Hazards: Disabling leak detection or other safety alarms could result in undetected fuel spills, posing serious environmental and safety risks.
  • Denial of Service: The integer overflow flaw could render the system inoperable, requiring manual intervention and causing significant downtime.

Cyber Observables for Detection

Type Value Description
url_pattern SOAP web service endpoints Monitor for unusual or malformed requests to the device's web interface, particularly any that contain shell metacharacters (`
command_line_pattern Shell commands spawned by web service process On the device, monitor the web server process for any child processes corresponding to shell commands (sh, bash, ls, cat, etc.).
log_source System clock logs Anomalous, large jumps in the system time, especially to dates in the past like 1901, are a direct indicator of CVE-2025-55067 abuse.

Detection Methods

  • Vulnerability Scanning: Use network scanners with ICS/OT capabilities to identify vulnerable Veeder-Root systems on the network.
  • Log Analysis: Review web service and system logs on TLS4B devices for evidence of command injection attempts or anomalous time changes.
  • Network Traffic Analysis: As recommended by CISA, monitor network traffic for any attempts to access these devices from untrusted networks. Employ D3-NTA: Network Traffic Analysis to detect suspicious connections.

Remediation Steps

Veeder-Root and CISA have provided the following recommendations:

  1. Update Firmware: Immediately upgrade all TLS4B systems to Version 11.A or later to remediate the critical command injection vulnerability (CVE-2025-58428).
  2. Network Segmentation: Isolate control system networks and devices from business networks. These systems should never be directly accessible from the internet.
  3. Secure Remote Access: If remote access is required, use a secure method such as a Virtual Private Network (VPN) with strong authentication.
  4. Monitor for Y2038: For CVE-2025-55067, organizations should be aware of the 2038 deadline and plan for the eventual patch release from Veeder-Root. In the interim, monitor system clocks for unexpected changes.
  5. D3FEND Countermeasures:

Timeline of Events

1
October 23, 2025
CISA publishes ICS advisory ICSA-25-296-03 for the Veeder-Root vulnerabilities.
2
October 28, 2025
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051ics

Applying the firmware update from Veeder-Root is the primary mitigation for the critical RCE flaw.

Mapped D3FEND Techniques:

D3-SU

Network Segmentation

M1030ics

Isolating ICS/OT devices from corporate IT networks and the internet is a fundamental security control for critical infrastructure.

Mapped D3FEND Techniques:

D3-NI

Network Segmentation

M0930ics

Isolating ICS/OT devices from corporate IT networks and the internet is a fundamental security control for critical infrastructure. (ICS Mitigation ID)

Data-at-rest Encryption

M0916ics

Encrypting sensitive configuration and operational data on the device.

D3FEND Defensive Countermeasures

Network Isolation

D3-NIMaps to MITREM1030
D3FEND

The single most important countermeasure for protecting Industrial Control Systems like the Veeder-Root TLS4B is Network Isolation. These devices should never be directly exposed to the internet or even the corporate IT network. Asset owners must place these ATGs and other OT devices behind a series of firewalls in a dedicated, segmented OT network. All communication between the IT and OT networks should be brokered through a DMZ. This control would completely mitigate the remote attack vector for CVE-2025-58428, as an external attacker would have no path to the vulnerable SOAP interface. Even for an attacker with an initial foothold on the IT network, proper segmentation would prevent them from pivoting to the critical OT environment.

Software Update

D3-SUMaps to MITREM1051
D3FEND

For the command injection flaw (CVE-2025-58428), immediate application of the vendor-supplied patch is the definitive solution. Organizations using Veeder-Root TLS4B systems must upgrade to firmware Version 11.A or later. Patching in OT environments can be challenging, so it must be done within a planned maintenance window and according to a tested procedure to avoid operational disruption. However, given the 9.9 CVSS score, this should be treated as an emergency change. A robust patch management program for OT systems, while difficult, is essential for defending against modern threats.

Sources & References

CISA Alerts on Critical Veeder-Root Flaws Allowing Attackers to Execute System Commands
GBHackers (gbhackers.com) October 28, 2025
Veeder-Root TLS4B Automatic Tank Gauge System
CISA (cisa.gov) October 23, 2025
CISA Warns Of Critical Veeder-Root Vulnerabilities Let Attackers Execute System-level Commands
Cybersecurity News (cybersecuritynews.com) October 28, 2025
CISA Warns: Critical Veeder-Root TLS4B RCE (CVE-2025-58428) Exposes Tank Gauge Systems to Command Injection
U-Cyber (u-cyber.com) October 28, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

ICSOTCISAVeeder-RootCritical InfrastructureEnergy SectorCommand InjectionY2038

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next