ATG Exposure Report — US Internet-Accessible Tank Gauges

⚠

ACTIVE EXPLOITATION IN PROGRESS — CISA / FBI / NSA / DOE / EPA Joint Advisory (June 2, 2026)

Cyber threat actors are actively compromising internet-exposed Automatic Tank Gauge (ATG) systems across the United States, executing commands to alter network settings, tank volumes, pump controls, and disabling safety alarms. Suspected Iran-nexus activity. CISA urges all ATG owners to immediately remove devices from public internet access and implement VPN-only access.

Sources: CISA Advisory · IC3 CSA 260602 · BitSight TRACE Research · Rapid7 Project Sonar

11,000+

ATGs Exposed
Globally (2022)

↑120% since 2015

~7,200

US Exposed ATGs
(est. current)

~64% of global total

150,000

Total US Fueling
Stations

~5% exposure rate

Affected ATG
Vendors

11 CVEs disclosed 2024

10001

Primary Exposed
TCP Port

Also: 8001, 9001

Internet-Exposed ATGs by State — Estimated Distribution hover for detail

Exposed ATGs:

Top States

#	State	Exposed	Share

Threat Intelligence Timeline

🔴

Active Exploitation — Iran-Nexus Suspected (May–Jun 2026)

Threat actors breached multiple US ATG systems, modifying display readings, probing for deeper access via Shodan/Censys enumeration. CISA emergency advisory issued June 2, 2026 alongside FBI, NSA, DOE, EPA, TSA, DOT, USDA.

ACTIVEKEVNATION-STATE

🟠

BitSight TRACE — 11 CVEs Across 5 Vendors (Sep 2024)

Critical zero-days disclosed in Maglink LX/LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. Vulnerabilities allow auth bypass, OS command execution, SQL injection, and full device takeover.

11 CVEs0-DAY5 VENDORS

🟡

Cyborg Study — 120% Increase in Exposed ATGs (2022)

Follow-up to Rapid7's 2015 research found exposure grew from 5,800 to 11,000+ ATGs worldwide on TCP/10001 — nearly two-thirds in the US. Problem worsening year-over-year as new systems come online insecurely.

120% GROWTHPORT 10001

🔵

Rapid7 Project Sonar — First Disclosure (Jan 2015)

HD Moore identified ~5,800 ATGs exposed without passwords. Top states: NY, TX, VA, FL, IL, MD, CA, PA, CT, TN. Majority Veeder-Root TLS systems mapped via Digi/Lantronix serial port servers.

5,300 USORIGINAL RESEARCH

Affected ATG Vendors & Models

Gilbarco Veeder-Root

TLS-350 · TLS-450 · TLS-450PLUS

~60%

DOMINANT

Franklin Fueling Systems

TS-550 · TS-5000

~15%

CVE-2024

OPW Fuel Management

SiteSentinel Integra · Nano

~10%

CVE-2024

Dover Fueling Solutions

Maglink LX · LX4

~8%

CVE-2024

Alisonic

Sibylla

~5%

CVE-2024

Proteus OEL

OEL8000 III

~2%

CVE-2024

Primary exposure vector: TCP/10001 (Veeder-Root protocol, unauthenticated by default).
Also: TCP/8001, TCP/9001, HTTP web interfaces.
Legacy protocol designed for serial — no encryption, optional weak 6-digit code.

Known CVEs — ATG Systems (2024 BitSight TRACE Disclosure)

CVE	CVSS	Vendor / Product	Vulnerability Type	Impact

🔌

Remove from Public Internet

Immediately block TCP ports 8001, 9001, and 10001 at the firewall. Do not expose any ATG management interface directly to the internet. This is the single most impactful action.

🔒

Enforce Credential Security

Change all default passwords immediately. Implement strong, unique security codes. Enable 6-digit security codes on serial port access (disabled by default on most models). Add MFA where feasible.

🛡️

VPN / ACL Gating

If remote monitoring is required, place ATG behind a VPN gateway or restrict by IP ACL/firewall rule. Never allow unauthenticated serial-to-TCP bridging on an internet-facing interface.

🔧

Apply Vendor Patches

Work with certified ATG service providers to apply latest firmware and security patches. Note: many legacy TLS-350 / TS-550 models require physical technician visits for updates.

📋

Monitor & Log

Enable logging on ATG interfaces. Monitor for unauthorized connections, alarm threshold changes, tank label modifications, unexpected pump relay toggles. Report incidents to CISA at report@cisa.gov.

🚨

Assume Compromise if Exposed

Any ATG with TCP/10001 internet-accessible should be treated as potentially compromised. Inspect for modified thresholds, altered tank geometry, disabled alarms, and unauthorized network changes immediately.