1-855-263-7328
Security Portal Login
1-855-263-7328
Security Portal Login

Critical Flaws in Veeder‑Root TLS4B Systems

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious advisory regarding two critical vulnerabilities in Veeder-Root’s TLS4B Automatic Tank Gauge (ATG) system, widely used in fuel-storage and monitoring operations. These flaws present a major threat to operational technology (OT) environments, especially within the energy and utilities sectors where availability, integrity and safety are paramount.

Vulnerability Details
  • The primary vulnerability, tracked as CVE‑2025‑58428, is a command-injection flaw (CWE-77) in the SOAP-based web services interface of the TLS4B ATG system, affecting versions prior to 11.A. Successful exploitation could enable remote attackers to execute system-level commands on the underlying Linux host, and potentially gain a full shell.
  • A secondary issue, CVE‑2025‑55067 (CWE-190), is an integer overflow / time-wrap vulnerability tied to the Unix 2038 epoch rollover in the same system. This bug can lead to authentication breakdowns, system disruption or denial of service (DoS).
  • The CVSS v3.1 score for the command-injection flaw is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
  • The affected product is widely deployed in fuel-storage environments, making the risk real – not hypothetical.
Industry Impact

Because the TLS4B ATG system bridges digital control and physical infrastructure, the impact extends across several sectors:

  • Energy / Fuel & Utilities: Tank-gauging systems regulate fuel levels, pressure, leak detection and inventory in gas stations, storage depots and other infrastructure. A compromised device could cause data manipulation, service interruption, or even physical hazard.
  • Manufacturing / Industrial Operations: Facilities dependent on fuel supply or tank monitoring for operations may lose visibility or control, impacting production continuity.
  • Government / Public Sector: Public-facing fuel infrastructure or emergency fuel storage may be disrupted-potentially a national-security concern.
  • Retail / Logistics: Chains managing fuel stations, logistics hubs or fleet depots may see disruption in their supply chain operations.

Given the low complexity and high impact of the flaws, organizations using or connected to the TLS4B systems must act immediately.

Recommended Actions
  1. Patch Immediately: Upgrade the TLS4B system to version 11.A or later (per vendor advisory) to mitigate CVE-2025-58428.
  2. Isolate and Segment: Ensure the ATG system does not have direct internet exposure. Use network segmentation so that the ATG system only communicates with trusted operations networks. CISA recommends removing systems from public-facing networks.
  3. Monitor for Anomalies: Look for unexpected shell access, system-level command execution, unusual login attempts, or modification in tank-gauge parameters such as volume or tilt settings.
  4. Deploy Network Access Controls: Use firewalls, VPNs or jump hosts for remote access to ATG devices; restrict access to authorization roles only.
  5. Review Time/Clock Behaviour: For CVE-2025-55067, monitor system clocks, authentication failures, or log corruption around the 2038 epoch-related behaviour.
  6. Perform Forensic Readiness: Ensure logs are collected centrally, that integrity of the ATG system’s firmware is validated, and that incident response plays include OT systems.
  7. Coordinate with Suppliers & OT Teams: Confirm with your vendor the status of the patch for CVE-2025-55067. Ensure your operations and security teams understand supply-chain risk and maintain coverage for connected devices.
Conclusion

The Veeder-Root TLS4B vulnerabilities serve as a stark reminder that operational-technology assets-though often overlooked-can become major attack vectors. In a world increasingly focused on IT security, the OT layer remains an exploitable gap. Failure to respond quickly could compromise not only data, but physical safety, operations availability and regulatory compliance.

If your organization uses tank-gauge systems, fuel-storage monitoring, or related infrastructure, treat this advisory as an emergency: patch, isolate, monitor and plan for recovery.

About COE Security

COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:

  • AI-enhanced threat detection and real-time monitoring
  • Data governance aligned with GDPR, HIPAA, and PCI DSS
  • Secure model validation to guard against adversarial attacks
  • Customized training to embed AI security best practices
  • Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
  • Secure Software Development Consulting (SSDLC)
  • Customized CyberSecurity Services

Given OT risks like these, COE Security also provides industrial-control system (ICS) vulnerability assessments, tank-gauging system audits, network segmentation strategy for OT/IT convergence, and incident-response planning for fuel-infrastructure threats. Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.

Click to read our LinkedIn feature article