Latest Threats

Active Exploitation of Internet-Exposed Automatic Tank Gauge (ATG) Systems in U.S. Critical Infrastructure — CISA/FBI/NSA/DOE Joint Advisory (CVE-2025-58428, Veeder-Root TLS4B & Multi-Vendor ATG Flaws) — Threadlinqs Intelligence

Threat ID: TL-2026-0708 · Severity: HIGH · CVSS: 9.9 · Status: ACTIVE · Category: ICS_SCADA

CISA, FBI, NSA, DOE and partner agencies issued a joint advisory confirming active malicious cyber activity against internet-exposed Automatic Tank Gauge (ATG) systems in U.S. critical infrastructure.

Automatic Tank Gauge (ATG) systems monitor fuel storage tank levels, temperature, and leak detection at gas stations, airports, military bases, hospitals, and other critical-infrastructure sites. On 2026-06, CISA, the FBI, NSA, and DOE — joined by EPA, TSA, DOT and USDA — released a joint advisory warning of ongoing malicious activity against internet-exposed ATGs and urging immediate hardening. The core exposure is architectural: the legacy ATG serial protocol (Veeder-Root TLS-style command set, e.g. function codes like I20100/relay function code 809) was designed for RS-232 and is now reachable over a raw TCP socket on port 10001. The protocol's only access control is an optional 6-character 'security code' (~1M combinations) that is disabled by default on many devices, allowing any unauthenticated client to read and modify tank configuration as if physically wired to the console. Beyond the protocol exposure, multiple authenticated and unauthenticated software vulnerabilities affect ATG web/management interfaces. Veeder-Root TLS4B is affected by CVE-2025-58428, a CVSS 9.9 command injection in its SOAP-based web services interface allowing remote attackers to execute system-level commands and gain full shell on the underlying Linux OS, and CVE-2025-55067 (CVSS 7.1), an integer overflow in Unix time handling (Year-2038 epoch rollover) enabling DoS/administrative lockout. Separately, Bitsight disclosed 11 vulnerabilities across six ATG models from five vendors — Maglink LX/LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550 — spanning OS command injection (CVE-2024-45066, CVE-2024-43693 — both CVSS 10.0), hardcoded credentials (CVE-2024-43423), authentication bypass (CVE-2024-8310, CVE-2024-6981, CVE-2024-43692), SQL injection (CVE-2024-8630), reflected XSS (CVE-2024-41725), privilege escalation (CVE-2024-45373), and arbitrary file read (CVE-2024-8497). Observed and demonstrated impact is physical, not merely informational. Attackers can modify tank capacity/geometry to defeat overflow protection (spillage/environmental risk), disable high-level and leak alarms, and abuse relay-control functions (ATG function code 809) to rapidly cycle peripheral relays — a living-off-the-land technique shown to physically destroy relays (OMRON G6S-2 failed after ~6.25 hours of ~50 Hz cycling) controlling pumps, ventilation, and emergency shutoff valves, as well as trigger device reboot/DoS. In April 2026, attacks against ATGs in Tennessee deleted tank and sensor configuration on unprotected internet-exposed Veeder-Root TLS-350 and TLS-450 Plus consoles, with at least 15 tanks affected at one convenience-store chain. The U.S. government has not formally attributed the current activity; prior 2025 ATG intrusions at U.S. gas stations were linked by CNN/SC Media reporting to suspected Iranian actors.

MITRE ATT&CK Techniques

T1595 Active Scanning; T1592 Gather Victim Host Information; T1190 Exploit Public-Facing Application; T1133 External Remote Services; T1110 Brute Force; T1078 Valid Accounts; T1059 Command and Scripting Interpreter; T1203 Exploitation for Client Execution; T1068 Exploitation for Privilege Escalation; T1046 Network Service Discovery; T1565 Data Manipulation; T1499 Endpoint Denial of Service; T1489 Service Stop; T1529 System Shutdown/Reboot; T0836 Modify Parameter; T0878 Alarm Suppression; T0855 Unauthorized Command Message; T0879 Damage to Property

Associated CVEs

CVE-2025-58428, CVE-2025-55067, CVE-2024-45066, CVE-2024-43693, CVE-2024-43692, CVE-2024-43423, CVE-2024-45373, CVE-2024-41725, CVE-2024-8310, CVE-2024-8630

Weaknesses (CWE)

CWE-77, CWE-78, CWE-190, CWE-287, CWE-798, CWE-89, CWE-79, CWE-269, CWE-306

Target sectors: energy, chemical, food and agriculture, transportation, government, healthcare

Target regions: North America, United States

References

Detections & IOCs

This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 14 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.

ICS_SCADA, HIGH, threat intelligence, cybersecurity, CVE-2025-58428, CVE-2025-55067, CVE-2024-45066, CVE-2024-43693, CVE-2024-43692, CVE-2024-43423, CVE-2024-45373, CVE-2024-41725, CVE-2024-8310, CVE-2024-8630, T1595, T1592, T1190, T1133, T1110, T1078, T1059, T1203, T1068, T1046

Threadlinqs Intelligence — Real-Time Threat Detection Platform

Latest Threats

🔄 Threat Comparison