Veeder-Root TLS4B Automatic Tank Gauge System

Plan PatchCVSS 9.9ICS-CERT ICSA-25-296-03Oct 23, 2025

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Veeder-Root TLS4B Automatic Tank Gauge System versions prior to 11.A contain multiple vulnerabilities (CVE-2025-58428, CVE-2025-55067) that allow authenticated attackers to execute system-level commands, gain full shell access, move laterally within the network, trigger denial of service, cause administrative lockout, and disrupt core system functionalities. CVE-2025-58428 is fixed in version 11.A. CVE-2025-55067 remains unfixed; Veeder-Root states a fix is in development and recommends adherence to network security best practices in the interim.

What this means

What could happen

An attacker with network access and valid credentials could execute arbitrary commands on the TLS4B console, allowing them to modify tank inventory data, disable alarms, disrupt fuel or chemical distribution operations, and potentially lock out authorized users from the system.

Who's at risk

Water utilities, fuel distributors, and chemical storage facilities that rely on Veeder-Root TLS4B automatic tank gauge systems for inventory management and monitoring. This affects anyone managing above-ground or underground storage tanks who depends on the TLS4B console for daily operations and reporting.

How it could be exploited

An attacker gains network access to the TLS4B console (either directly or by compromising a connected workstation). With valid login credentials, they could inject malicious commands that execute at system level, giving them full control over the gauge software and potentially the underlying hardware. From there, they could pivot to other networked devices in the fuel distribution system or connected business network.

Prerequisites

Network reachability to the TLS4B console port
Valid TLS4B user account credentials
Knowledge of or ability to guess valid usernames and passwords

remotely exploitablerequires valid credentialslow complexity attackno public patches available for all vulnerabilitiesaffects critical infrastructure operationscan cause denial of service or system lockout

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (1)

ProductAffected VersionsFix Status

TLS4B: <11.A<11.A11.A

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the TLS4B console to authorized management stations only using firewall rules; block all inbound access from the business network and internet

HARDENINGEnforce strong, unique passwords on all TLS4B user accounts and disable any default or shared credentials

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade TLS4B firmware to version 11.A or later

Long-term hardening

0/2

HARDENINGIsolate the TLS4B and tank gauge network from the main business network using a dedicated VLAN or air gap when possible

HARDENINGIf remote access to TLS4B is required, deploy a VPN gateway and require VPN authentication before allowing connections; keep the VPN software updated

CVEs (2)

CVE-2025-58428 CVE-2025-55067

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a69a98be-17f9-4edb-bcac-b3718d5a1306

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.