Veeder-Root TLS4B Automatic Tank Gauge System

Act Now9.9ICS-CERT ICSA-25-296-03Oct 23, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Veeder-Root TLS4B Automatic Tank Gauge system versions below 11.A contain command injection vulnerabilities (CVE-2025-58428, CVE-2025-55067) that allow authenticated users to execute arbitrary system commands with application privileges. Successful exploitation could lead to remote command execution, full shell access, lateral movement within the network, administrative lockout, and disruption of tank monitoring and inventory management functions. One vulnerability (CVE-2025-58428) has a known fix; the other (CVE-2025-55067) requires future patching.

What this means

What could happen

An attacker with login credentials could execute arbitrary commands on the TLS4B tank gauge system, potentially altering inventory levels, disabling monitoring, or preventing authorized access to the device. This could disrupt fuel or chemical inventory management and compliance reporting at fueling stations, distribution centers, or storage facilities.

Who's at risk

Facility managers and operators of Veeder-Root TLS4B Automatic Tank Gauge systems at fuel distribution terminals, retail fuel stations, chemical storage facilities, and any location using TLS4B for inventory and delivery management. This includes fleet fueling operations, convenience stores with fuel pumps, and petroleum/chemical logistics operations.

How it could be exploited

An attacker with valid credentials for the TLS4B management console could inject system commands that are executed with the privileges of the TLS4B application. The attacker could then escalate to full shell access and move laterally to other systems on the network if the TLS4B is not properly isolated.

Prerequisites

Network access to the TLS4B management console or API endpoint
Valid authentication credentials (username and password) for the TLS4B system
The TLS4B to be reachable from the attacker's network position

remotely exploitable (over network)low authentication complexity (requires valid credentials)affects critical operational visibility and controlno public patch available for CVE-2025-55067high CVSS score (9.9)full system compromise possible

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

TLS4B: <11.A<11.A11.A

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDImplement network access controls to restrict console access to authorized administrative networks only; use firewall rules to block access from untrusted networks

HARDENINGEnforce strong, unique passwords for all TLS4B administrative accounts and disable any default credentials

HARDENINGDisable remote management access to the TLS4B unless absolutely required; if required, require multi-factor authentication and VPN access only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade TLS4B to Version 11.A or later (CVE-2025-58428 fix)

HOTFIXMonitor the Veeder-Root Technical Support channel for the CVE-2025-55067 fix (timeline not announced); apply when available

Long-term hardening

0/1

HARDENINGIsolate the TLS4B and connected tank monitoring equipment from the business network using a separate VLAN or air-gapped network segment

CVEs (2)

CVE-2025-58428 CVE-2025-55067

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a69a98be-17f9-4edb-bcac-b3718d5a1306