Veeder-Root TLS4B Automatic Tank Gauge System Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the Veeder-Root TLS4B Automatic Tank Gauge (ATG) system, specifically in versions prior to 11.A. This vulnerability arises from the system's SOAP-based interface, which is accessible through the web services handler. It allows remote attackers with valid credentials to execute system-level commands on the underlying Linux operating system. Exploitation of this vulnerability could lead to remote code execution, full shell access, and potential lateral movement within the network.

Impact

Successful exploitation of this vulnerability could allow remote code execution, full shell access, and lateral movement within the network.

Remediation

Users are advised to upgrade the TLS4B to version 11.A. For additional help or questions, contact Veeder-Root Technical Support at +1.800.323.1799.