The Cybersecurity and Infrastructure Safety Company (CISA) has issued a vital safety alert relating to critical vulnerabilities in Veeder-Root’s TLS4B Automated Tank Gauge System.
Launched on October 23, 2025, the alert warns that attackers may exploit these flaws to take management of business techniques used worldwide, notably within the vitality sector.
Two Essential Vulnerabilities Found
Safety researchers at Bitsight recognized two harmful vulnerabilities within the TLS4B system. The primary vulnerability entails improper neutralization of particular components in instructions, which suggests attackers can inject malicious code into the system.
| CVE ID | Vulnerability Kind | Affected Product | CVSS v3.1 Rating |
| CVE-2025-58428 | Command Injection (CWE-77) | Veeder-Root TLS4B ATG System | 9.9 |
| CVE-2025-55067 | Integer Overflow/Wraparound (CWE-190) | Veeder-Root TLS4B ATG System | 7.1 |
Utilizing legitimate credentials, distant attackers can execute system-level instructions on the underlying Linux system, doubtlessly gaining full shell entry and shifting all through the community undetected.
This vulnerability, tracked as CVE-2025-58428, has been assigned an exceptionally excessive CVSS rating of 9.4 out of 10, indicating extreme threat.
The vulnerability is especially harmful as a result of it requires comparatively low complexity to use and is accessible from the web by means of the system’s SOAP-based net providers interface.
The second vulnerability pertains to integer overflow, a technical flaw affecting how the system handles Unix time values.
When the system clock reaches January 19, 2038, it resets to December 13, 1901. This time manipulation may cause authentication failures, disrupt vital system features like login entry and leak detection, and set off denial-of-service assaults that lock directors out completely.
The Veeder-Root TLS4B Automated Tank Gauge System is deployed worldwide, with explicit prevalence within the vitality sector. All variations previous to Model 11.A are weak to the command injection flaw. Organizations utilizing older variations stay at speedy threat.
Veeder-Root has launched Model 11.A to handle the command injection vulnerability (CVE-2025-58428). Organizations ought to improve instantly to this patched model.
For the integer overflow subject (CVE-2025-55067), a everlasting repair remains to be in improvement. Till it turns into obtainable, Veeder-Root recommends following their community safety finest practices.
CISA gives further defensive measures to reduce exploitation threat. Organizations ought to reduce web publicity for all management system gadgets, conserving them remoted behind firewalls and away from enterprise networks.
When distant entry is critical, utilizing Digital Non-public Networks (VPNs) with present updates gives further safety.
In response to CISA, no recognized public exploitation of those vulnerabilities has been reported as of the alert date.
Nevertheless, given the excessive severity scores and ease of exploitation, organizations ought to deal with this as pressing. Specialists advocate performing influence evaluation earlier than deploying any defensive measures to make sure minimal disruption.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in Google.
