What vulnerabilities affect Veeder-Root TLS4B Automatic Tank Gauge System?

Veeder-Root is reporting multiple security vulnerabilities in its TLS4B Automatic Tank Gauge System that could enable authenticated attackers to gain complete control over affected systems. The vulnerabilities include CVE-2025-58428, a critical command injection flaw, and CVE-2025-55067, an integer overflow vulnerability related to the Year 2038 problem.

What is CVE-2025-58428 in Veeder-Root TLS4B systems?

CVE-2025-58428 is an improper neutralization of special elements used in a command injection vulnerability with a CVSS score of 9.4 that affects the TLS4B ATG system's SOAP-based interface. This flaw enables remote attackers with valid credentials to execute system-level commands on the underlying Linux operating system, potentially achieving remote command execution, full shell access, and establishing a foothold for lateral movement within the network.

What is CVE-2025-55067 in Veeder-Root TLS4B systems?

CVE-2025-55067 is an integer overflow or wraparound vulnerability with a CVSS score of 7.1 stemming from the TLS4B ATG system's improper handling of Unix time values that exceed the 2038 epoch rollover threshold. When the system clock reaches January 19, 2038, at 03:14:07 UTC, the 32-bit signed integer used to store Unix timestamps will overflow, causing the system to reset to December 13, 1901.

What happens when the Year 2038 bug affects Veeder-Root TLS4B?

When the system clock reaches the 2038 epoch rollover threshold, the integrity breach causes authentication failures and disrupts core system functionalities including login access, history visibility, and leak detection termination. Attackers aware of this threat could manipulate the system time to artificially trigger this denial of service condition, leading to administrative lockout, operational timer failures, and corrupted log entries.

What should users do about the Veeder-Root TLS4B vulnerabilities?

Users should immediately upgrade their TLS4B systems to Version 11.A to address the command injection vulnerability. For the integer overflow vulnerability, until a patch becomes available, users should apply isolation measures to minimize exposure to potential attacks.

What is a TLS4B Automatic Tank Gauge System?

The TLS4B Automatic Tank Gauge System is a Veeder-Root product used for monitoring and managing fuel tanks. The system has been found to contain critical security vulnerabilities including command injection and Year 2038 integer overflow issues that could enable attackers to gain complete control over affected systems.

Advisory

Critical command injection flaw reported in Veeder-Root TLS4B automatic tank gauge system

published: Oct. 23, 2025

Take action: If you use Veeder-Root TLS4B tank gauge systems, make sure they are isolated from the internet and accessible only from trusted networks. Then plan a patch to version 11.A or newer. The flaw still requires admin login so also work with the administrators for detecting phishing and avoiding malware.

Learn More

Veeder-Root is reporting multiple security vulnerabilities in its TLS4B Automatic Tank Gauge System, that could enable authenticated attackers to gain complete control over affected systems.

Vulnerabilities summary:

CVE-2025-58428 (CVSS score 9.4): An improper neutralization of special elements used in a command injection vulnerability that affects the TLS4B ATG system's SOAP-based interface. This flaw enables remote attackers with valid credentials to execute system-level commands on the underlying Linux operating system. Successful exploitation could allow attackers to achieve remote command execution, gain full shell access to the system, and establish a foothold for potential lateral movement within the network.
CVE-2025-55067 (CVSS score 7.1): An integer overflow or wraparound vulnerability stemming from the TLS4B ATG system's improper handling of Unix time values that exceed the 2038 epoch rollover threshold. When the system clock reaches January 19, 2038, at 03:14:07 UTC, the 32-bit signed integer used to store Unix timestamps will overflow, causing the system to reset to December 13, 1901. This integrity breach causes authentication failures and disrupts core system functionalities including login access, history visibility, and leak detection termination. Attackers aware of this cyber security threat could manipulate the system time to artificially trigger this denial of service condition, leading to administrative lockout, operational timer failures, and corrupted log entries.

All versions of the Veeder-Root TLS4B Automatic Tank Gauge System prior to version 11.A are affected by these vulnerabilities.

Veeder-Root has released a patch to address the command injection vulnerability and strongly recommends that users immediately upgrade their TLS4B systems to Version 11.A.

For the integer overflow vulnerability, Veeder-Root has acknowledged the threat and is developing a fix. Until a patch becomes available, users should applu isolation to minimize exposure to potential attacks.

Critical command injection flaw reported in Veeder-Root TLS4B automatic tank gauge system

Read More
Siemens Patches Multiple Vulnerabilities In A8000 Automation Device
Critical authentication bypass flaw reported in Amp'ed RF …
CISA reports multiple vulnerabilities in Emerson ValveLink products, …
Unitronics fixes multiple critical issues in Unistream and …
Commend fixes issues in WS203VICM after product end-of-life