PatchSiren cyber security CVE debrief
CVE-2025-58428 Veeder-Root CVE debrief
CVE-2025-58428 affects Veeder-Root’s TLS4B Automatic Tank Gauge System and is rated Critical in the supplied advisory data. CISA’s CSAF states that the system’s SOAP-based interface is exposed through the web services handler, and that a remote attacker with valid credentials may execute system-level commands on the underlying Linux system. The practical impact can include remote command execution, full shell access, and possible lateral movement within the network. Veeder-Root recommends upgrading TLS4B to Version 11.A.
- Vendor
- Veeder-Root
- Product
- TLS4B
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-10-23
- Original CVE updated
- 2025-10-23
- Advisory published
- 2025-10-23
- Advisory updated
- 2025-10-23
Who should care
Operators of Veeder-Root TLS4B deployments, OT/ICS security teams, plant engineers, system integrators, and network administrators responsible for tank gauge systems or adjacent industrial networks should prioritize this issue.
Technical summary
The advisory describes an authenticated remote command execution condition in the TLS4B SOAP-based web services path. The vulnerability is reachable over the network and requires valid credentials, but the impact is severe because successful exploitation can yield system-level command execution on the device’s Linux host. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, reflecting remote access, low attack complexity, and high impact across confidentiality, integrity, and availability.
Defensive priority
Immediate. This is a high-risk OT/ICS exposure with critical impact and a vendor-provided fix. Prioritize patching and access hardening ahead of routine maintenance work.
Recommended defensive actions
- Upgrade Veeder-Root TLS4B to Version 11.A as recommended by the vendor.
- Restrict and review access to the web services handler and SOAP interface, especially credentialed remote access paths.
- Audit all TLS4B accounts and credentials; remove unused accounts and rotate credentials where appropriate.
- Segment the TLS4B and related OT assets from enterprise networks to reduce lateral movement risk.
- Monitor for unexpected command execution, configuration changes, or new network access patterns on affected systems.
- Follow CISA/ICS recommended practices for network security and defense in depth when deploying or connecting the console to a network port.
- Contact Veeder-Root Technical Support at +1.800.323.1799 for deployment-specific guidance if needed.
Evidence notes
All substantive findings here come from the supplied CISA CSAF source item and its included remediation text. The advisory explicitly states that the SOAP-based interface is accessible through the web services handler, that attackers with valid credentials can execute system-level commands on the underlying Linux system, and that the likely outcomes include remote command execution, shell access, and potential lateral movement. The remediation guidance in the source recommends upgrading to Version 11.A. No exploit details, external analysis, or unsupported impact claims were added.
Official resources
-
CVE-2025-58428 CVE record
CVE.org
-
CVE-2025-58428 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in initial publication of ICSA-25-296-03 on 2025-10-23, which is also the CVE published and modified date supplied in the source data.