CVE-2025-58428
BaseFortify
Publication date: 2025-10-23
Last updated on: 2025-10-27
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| veeder-root | tls4b_automatic_tank_gauge | * |
| veeder-root | tls4_series_atg | * |
| veeder-root | tls4b_automatic_tank_gauge | 11.a |
| veeder-root | tls-3xx_series_atg | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the TLS4B ATG system is a command injection flaw in its SOAP-based web services interface. It allows remote attackers who have valid credentials to execute system-level commands on the underlying Linux operating system. This means an attacker can gain full shell access and potentially move laterally within the network, compromising the system and connected devices. [3]
How can this vulnerability impact me? :
This vulnerability can lead to full system compromise, including remote command execution and full shell access. Attackers can disrupt core functionalities, cause denial of service, lock out administrators, and move laterally within the network, potentially affecting other connected systems and critical infrastructure. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate CVE-2025-58428 include upgrading the TLS4B ATG system to version 11.A as recommended by Veeder-Root. Additionally, implement network security best practices such as isolating control networks behind firewalls, minimizing network exposure of control system devices, using secure remote access methods like updated VPNs, configuring separated network ports to isolate traffic, changing default network port numbers, and adding serial command security codes to harden remote access. For older systems, consider upgrading to newer models or adding additional network firewall equipment. Organizations should also perform impact analysis and risk assessments before deploying mitigations. [1, 3]