1. EXECUTIVE SUMMARY
- CVSS v4 9.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Veeder-Root
- Equipment: TLS4B Automatic Tank Gauge System
- Vulnerabilities: Improper Neutralization of Special Elements used in a Command (‘Command Injection’), Integer Overflow or Wraparound
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to execute system-level commands, gain full shell access, achieve remote command execution, move laterally within the network, trigger a denial of service condition, cause administrative lockout, and disrupt core system functionalities.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Veeder-Root TLS4B Automatic Tank Gauge System are affected:
- TLS4B: Versions prior to 11.A
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77
The TLS4B ATG system’s SOAP-based interface is vulnerable due to its accessibility through the web services handler. This vulnerability enables remote attackers with valid credentials to execute system-level commands on the underlying Linux system. This could allow the attacker to achieve remote command execution, full shell access, and potential lateral movement within the network.
CVE-2025-58428 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-58428. A base score of 9.4 has been calculated; the CVS
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: