The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for two critical vulnerabilities in Veeder-Root TLS4B systems used to monitor fuel tanks. Exploiting these flaws could allow attackers to remotely execute system-level commands, posing a threat to energy infrastructure.
According to CISA, the vulnerabilities affect versions of TLS4B prior to 11.A. The first, CVE-2025-58428 (CVSS 9.4), allows attackers with basic credentials to perform command injection via the SOAP interface, effectively gaining control of the system. The second, CVE-2025-55067 (CVSS 7.1), is related to an integer overflow when handling Unix time values (the 2038 issue), which could lead to authorization failures and denial of service (DoS).
These errors pose a particular threat to facilities in the fuel sector, where a shutdown could cause fuel supply disruptions and security risks.
Veeder–Root has already released an update, version 11.A, that addresses the first vulnerability, while a fix for the second is still in development. CISA recommends that users isolate devices on the network, restrict external access, use VPNs, and install firewalls to minimize risks.
Veeder-Root is an American company that produces automated systems for managing underground fuel tanks. Its solutions are actively used at gas stations around the world. Vulnerabilities in such industrial systems demonstrate how industrial controllers (ICS) remain a target for cybercriminals and how important it is to update even “hardware” devices. Bitsight researcher Pedro Umbelino discovered the flaws while analyzing the system’s Linux consoles, showing that a simple error in SOAP commands can lead to a complete compromise of the infrastructure.
The Veeder-Root TLS4B vulnerabilities are a reminder that even seemingly restricted industrial systems can be attacked through ordinary web interfaces. CISA urges all companies using these solutions to immediately conduct a security audit and install updates to avoid potential cyberattacks and disruptions to critical facilities.
