Dover Fueling Solutions ProGauge MagLink LX consoles
Plan PatchCVSS 9.8ICS-CERT ICSA-25-168-05Jun 17, 2025
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Missing access control (CWE-306) in ProGauge MagLink LX fuel monitoring consoles allows an unauthenticated remote attacker to gain control of the device. Successful exploitation could result in an attacker manipulating fueling operations, deleting system configurations, or deploying malware on the console. The vulnerability affects MagLink LX 4, MagLink LX Plus, and MagLink LX Ultimate models prior to patched versions.
What this means
What could happen
An attacker could gain full control of the ProGauge MagLink LX fuel monitoring console, allowing them to manipulate fueling transactions, delete configurations, or deploy malware that could disrupt fuel dispensing operations across your site.
Who's at risk
This affects fuel station and fleet fueling operators who deploy Dover ProGauge MagLink LX fuel monitoring and management consoles. Any organization using these devices for transaction tracking, pump monitoring, or inventory management should prioritize patching. This is particularly critical for sites where the console might be accessible from untrusted networks.
How it could be exploited
An attacker with network access to the ProGauge MagLink LX console (no authentication required due to CWE-306 missing access control) can send network commands to remotely execute arbitrary actions on the device. This could happen if the console is exposed to an untrusted network or if an attacker reaches it from a compromised internal system.
Prerequisites
- Network access to the ProGauge MagLink LX console on the port it listens on (typically port 80 or 443, but confirm your configuration)
- Device must be on a network reachable from the attacker (internet-exposed or accessible from compromised internal system)
- No valid credentials or authentication required
Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Affects fuel dispensing operationsCould enable malware deployment
Exploitability
Some exploitation risk — EPSS score 1.5%
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
ProGauge MagLink LX 4: <4.20.3<4.20.34.20.3
ProGauge MagLink LX Ultimate: <5.20.3<5.20.35.20.3
ProGauge MagLink LX Plus: <4.20.3<4.20.34.20.3
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict network access to ProGauge MagLink LX consoles using firewall rules; allow connections only from authorized engineering workstations and management systems, block all internet-facing access
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate ProGauge MagLink LX 4 and LX Plus models to firmware version 4.20.3 or later
HOTFIXUpdate ProGauge MagLink LX Ultimate models to firmware version 5.20.3 or later
Long-term hardening
0/2HARDENINGIsolate the ProGauge MagLink LX console on a separate fuel management network segment, physically separated from business networks and the internet
HARDENINGIf remote access to the console is required for monitoring or troubleshooting, configure VPN access through a jump server or remote access gateway instead of direct internet exposure
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bf85fc59-ff21-466b-a58d-459826ce580bGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.