These flaws, if exploited, could enable attackers to run arbitrary system-level commands on affected devices, potentially leading to widespread disruptions in critical infrastructure.
The primary vulnerability has a CVSS v4 score of 9.4, making it highly exploitable remotely and low-complexity, especially for those with basic credentials.
Veeder-Root, a U.S.-based company with global deployments, urges immediate upgrades to mitigate these risks, as reported by researcher Pedro Umbelino of Bitsight.
The vulnerabilities stem from flaws in the system’s handling of commands and time values, exposing Linux-based consoles to manipulation.
Discovered in systems deployed worldwide for monitoring underground storage tanks, they underscore ongoing challenges in securing industrial control systems (ICS) against sophisticated threats.
CISA emphasizes that these issues affect energy operations, where downtime could cascade into fuel supply interruptions or safety hazards.
The TLS4B system, versions prior to 11.A, suffers from a command injection flaw and an integer overflow related to the 2038 Unix epoch problem.
The command injection (CWE-77) arises in the SOAP-based web services interface, allowing authenticated remote attackers to inject malicious elements and execute Linux shell commands.
This could grant full system access, enabling data theft or further network compromise.
A secondary integer overflow (CWE-190) mishandles time values beyond the 2038 rollover, resetting the clock to 1901 and causing authentication failures, log corruption, and halted leak detection.
Attackers could exploit this for denial-of-service (DoS) by tampering with system time, locking out administrators, and disrupting operations.
| CVE ID | Description | Affected Products | CVSS v3.1 Score (Vector) | CVSS v4 Score (Vector) |
|---|---|---|---|---|
| CVE-2025-58428 | Command Injection (CWE-77) via SOAP interface; enables RCE and shell access. | TLS4B (prior to 11.A) | 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) | 9.4 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) |
| CVE-2025-55067 | Integer Overflow (CWE-190) in Unix time handling; triggers DoS and functional disruptions. | TLS4B (prior to 11.A) | 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) | 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N) |
Exploitation could yield remote command execution, lateral movement, administrative lockouts, and DoS conditions, severely impacting energy infrastructure reliability.
With low barriers to entry requiring only valid credentials, these flaws heighten risks for unpatched systems.
Veeder-Root recommends upgrading to TLS4B version 11.A for the command injection fix; for the overflow issue, a patch is in development, so users should follow network security best practices like isolating devices and securing ports.
CISA advises minimizing internet exposure, deploying firewalls, and using VPNs for remote access while conducting thorough risk assessments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns Of Critical Veeder-Root Vulnerabilities Let Attackers Execute System-level Commands appeared first on Cyber Security News.
If you still don’t own a PS5, the Digital Edition Fortnite Flowering Chaos Bundle avoids…
Few tools are as useful for simple cleaning and maintenance than a powerful air duster.…
A critical vulnerability in Anthropic’s Model Context Protocol (MCP) is putting millions of systems at…
A newly disclosed vulnerability in the popular iTerm2 macOS terminal emulator shows that even viewing…
Illustration by Heather Landis An ALPR snaps photos of passing cars. Its purpose is to…
Photo by Joan Marcus/Disney Many Broadway actors leave once a contract is up. You’ve been…
This website uses cookies.