Wednesday, April 30, 2025
Homecyber securityMultiple 0-Day Flaws in Automated Tank Gauge Systems Threaten Critical Infrastructure

Multiple 0-Day Flaws in Automated Tank Gauge Systems Threaten Critical Infrastructure

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers from BitSight TRACE have uncovered multiple 0-day vulnerabilities in Automated Tank Gauge (ATG) systems, which are integral to managing fuel storage tanks across various critical infrastructures.

These vulnerabilities in six ATG systems from five vendors pose significant threats to public safety and economic stability.

The flaws could potentially be exploited by malicious actors to cause physical damage, environmental hazards, and economic losses.

- Advertisement - Google News

The Role of ATG Systems in Critical Infrastructure

Automatic Tank Gauging (ATG) systems are designed to automatically measure and record product level, volume, and temperature in storage tanks.

These systems are used in gas stations and are prevalent in military bases, hospitals, airports, emergency services, and power plants.

They are crucial in ensuring compliance with environmental regulations and optimizing inventory management. However, their exposure to the internet makes them vulnerable targets for cyberattacks.

“Voltage of Team OneFist,” associated with cyberattacks targeting Russian infrastructure, claims the takedown of several devices, one OPW tank gauge included (source: BitSight)
“Voltage of Team OneFist,” associated with cyberattacks targeting Russian infrastructure, claims the takedown of several devices, one OPW tank gauge included (source: BitSight)

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Details of the Vulnerabilities

The investigation by BitSight TRACE identified 11 vulnerabilities across several ATG models. These include OS command injection, authentication bypasses, hardcoded credentials, and SQL injection vulnerabilities.

Each flaw allows attackers to gain full administrative control over the ATG systems.

The vulnerabilities have been assigned CVE identifiers with critical CVSS scores, highlighting their severity: here is a summary of the CVE table data related to the vulnerabilities found in Automated Tank Gauge (ATG) systems:

ProductVulnerability TypeCVECVSS 3.1 Score
Maglink LXOS Command InjectionCVE-2024-4506610.0
Maglink LXOS Command InjectionCVE-2024-4369310.0
Maglink LX4Hardcoded CredentialsCVE-2024-434239.8
OPW SiteSentinelAuthentication BypassCVE-2024-83109.8
Proteus® OEL8000Authentication BypassCVE-2024-69819.8
Maglink LXAuthentication BypassCVE-2024-436929.8
Alisonic SibyllaSQL InjectionCVE-2024-86309.4
Maglink LXXSSCVE-2024-417258.8
Maglink LX4Privilege EscalationCVE-2024-453738.8
Franklin TS-550Arbitrary File ReadCVE-2024-84977.5

These security flaws reflect fundamental design issues that should have been addressed long ago.

Automatic Tank Gauges Vulnerabilities by Product(source: BitSight)
Automatic Tank Gauges Vulnerabilities by Product(source: BitSight)

The exploitation of these vulnerabilities could lead to severe consequences:

  1. Denial of Service (DoS): Attackers could disable ATG systems by reconfiguring settings or flashing faulty firmware.
  2. Physical Damage: By altering critical parameters such as tank geometry and capacity, attackers could cause fuel leaks or disable alarms.
  3. Data Theft: Sensitive operational data could be captured and sold to third parties.
  4. Network Intrusion: Vulnerable ATG systems could serve as entry points for further attacks on internal networks.

These scenarios underscore the urgent need for enhanced security measures to protect these systems from exploitation.

Coordinated Efforts for Mitigation

BitSight has been working closely with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to mitigate these vulnerabilities through responsible disclosure.

They have collaborated with affected vendors for six months to develop remediation strategies.

CISA has published advisories to guide organizations in securing their ATG systems against potential attacks.

The discovery of these vulnerabilities highlights the critical need for improved cybersecurity practices in industrial control systems like ATGs.

These systems are integral to national infrastructure, so their security must be prioritized to prevent potential disasters. Organizations are urged to disconnect ATGs from the internet and implement robust security measures to safeguard against future threats.

Image of an Automated Tank Gauge SystemAs the industry moves towards a “secure by design” philosophy, it is imperative that manufacturers and operators work together to address these vulnerabilities and protect critical infrastructure from cyber threats. 

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free


Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Microsoft Telnet Server Flaw Lets Attackers Bypass Guest Login Restrictions

A newly disclosed vulnerability in Microsoft’s Telnet Server component is making headlines after researchers...

Firefox 138 Launches with Patches for Several High-Severity Flaws

Mozilla has officially released Firefox 138, marking a significant update focused on user security....

Anthropic Report Reveals Growing Risks from Misuse of Generative AI Misuse

A recent threat report from Anthropic, titled “Detecting and Countering Malicious Uses of Claude:...

Link11 brings three brands together on one platform with new branding

Link11 has fully integrated DOSarrest and Reblaze to become one of Europe's leading providers...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Microsoft Telnet Server Flaw Lets Attackers Bypass Guest Login Restrictions

A newly disclosed vulnerability in Microsoft’s Telnet Server component is making headlines after researchers...

Firefox 138 Launches with Patches for Several High-Severity Flaws

Mozilla has officially released Firefox 138, marking a significant update focused on user security....

Anthropic Report Reveals Growing Risks from Misuse of Generative AI Misuse

A recent threat report from Anthropic, titled “Detecting and Countering Malicious Uses of Claude:...