The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding serious vulnerabilities in Veeder-Root’s TLS4B Automatic Tank Gauge System.
Released on October 23, 2025, the alert warns that attackers could exploit these flaws to take control of industrial systems used worldwide, particularly in the energy sector.
Security researchers at Bitsight identified two dangerous vulnerabilities that pose an immediate threat to critical infrastructure operations globally.
Two Critical Vulnerabilities Discovered
The first vulnerability involves improper neutralization of special elements in commands, allowing attackers to inject malicious code directly into the system.
Using valid credentials, remote attackers can execute system-level commands on the underlying Linux system, potentially gaining full shell access and moving throughout the network undetected.
This vulnerability, tracked as CVE-2025-58428, has been assigned an exceptionally high CVSS score of 9.9 out of 10, indicating severe risk.
The flaw is particularly dangerous because it requires relatively low complexity to exploit and is accessible from the internet through the system’s SOAP-based web services interface.
The second vulnerability relates to integer overflow, a technical flaw affecting how the system handles Unix time values.
When the system clock reaches January 19, 2038, it resets to December 13, 1901.
This time manipulation can cause authentication failures, disrupt critical system functions like login access and leak detection, and trigger denial-of-service attacks that lock administrators out entirely.
CVE-2025-55067 carries a CVSS score of 7.1, still indicating significant risk to operations.
| CVE ID | Vulnerability Type | Affected Product | CVSS v3.1 Score |
|---|---|---|---|
| CVE-2025-58428 | Command Injection (CWE-77) | Veeder-Root TLS4B ATG System | 9.9 |
| CVE-2025-55067 | Integer Overflow/Wraparound (CWE-190) | Veeder-Root TLS4B ATG System | 7.1 |
The Veeder-Root TLS4B Automatic Tank Gauge System is deployed worldwide, with particular prevalence in the energy sector.
All versions before Version 11.A is vulnerable to the command injection flaw. Organizations using older versions remain at immediate risk.
Given the widespread deployment of these systems across critical infrastructure, the potential impact of successful exploitation extends far beyond individual organizations to include supply chain disruptions and regional energy distribution problems.
Veeder-Root has released Version 11.A to address the command injection vulnerability (CVE-2025-58428).
Organizations should upgrade immediately to this patched version. For the integer overflow issue (CVE-2025-55067), a permanent fix is still in development.
Until it becomes available, Veeder-Root recommends following its network security best practices.
CISA provides additional defensive measures to minimize exploitation risk. Organizations should minimize internet exposure for all control system devices, keeping them isolated behind firewalls and away from business networks.
When remote access is necessary, using Virtual Private Networks (VPNs) with current updates provides additional protection.
Experts recommend performing impact analysis before deploying any defensive measures to ensure minimal disruption to critical operations.
According to CISA, no known public exploitation of these vulnerabilities has been reported as of the alert date.
However, given the high severity scores and ease of exploitation, organizations should treat this as urgent and prioritize mitigation efforts immediately.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Security researchers at Bitsight identified two dangerous vulnerabilities that pose an immediate threat to critical infrastructure operations globally.){kind=link}