Over 900 US Gas Station Tank Gauge Systems Exposed to Remote Attacks
What Happened – More than 900 Automatic Tank Gauge (ATG) devices used at U.S. fuel stations and industrial sites were found publicly reachable on the Internet, exposing hard‑coded credentials, SQL‑injection flaws and OS‑command execution bugs. Federal agencies (CISA, FBI, NSA, DOE) issued a joint advisory warning that threat actors are actively exploiting these weaknesses to alter system settings and disable safety alerts.
Why It Matters for TPRM –
- Critical‑infrastructure sensors are being weaponised, raising the risk of fuel leaks, environmental damage, and service interruption.
- The exposure stems from default configurations and inadequate network segmentation—issues that often originate with third‑party device vendors or integrators.
- Organizations that rely on ATG data for inventory, compliance or safety must verify that their suppliers have hardened these devices.
Who Is Affected – Energy & Utilities (fuel retail, chemical storage), Industrial facilities using ATG devices, third‑party service providers that manage or monitor these systems.
Recommended Actions –
- Inventory all ATG devices and confirm they are not Internet‑exposed.
- Enforce firewall/VPN controls, disable unnecessary ports, and apply vendor security patches.
- Replace default passwords with strong, unique credentials and enable MFA where supported.
- Monitor for unauthorized configuration changes and integrate ATG logs into SIEM/ICS monitoring.
Technical Notes – The ATG devices expose port 10001/TCP and suffer from hard‑coded credentials, authentication bypasses, SQL‑injection, OS command execution and privilege‑escalation flaws. No specific CVE IDs were disclosed. Exploitation can disable leak‑detection alerts, potentially causing environmental incidents. Source: BleepingComputer