Two separate but concurrent threat threads are affecting OT and critical infrastructure operators this month: mass exploitation of authentication and command-injection vulnerabilities in widely deployed Four-Faith industrial routers, and a continuing Iranian-linked campaign targeting Automatic Tank Gauge (ATG) systems at US petrol stations. Both represent active, in-progress exploitation — not future risk.
Four-Faith Industrial Routers: Active Exploitation at Scale
Four-Faith is a Chinese manufacturer of industrial cellular routers used across utilities, manufacturing, transport, and remote monitoring deployments globally. Two vulnerabilities disclosed in late 2024 are now under coordinated mass exploitation.
CVE-2024-12856 is an OS command injection flaw in Four-Faith model F3x24 and F3x36 routers (CVSS 7.2). The vulnerability allows authenticated attackers — or attackers who have bypassed authentication via the companion flaw — to execute arbitrary operating system commands on the affected device.
CVE-2024-9643 is an authentication bypass affecting the same product line, allowing unauthenticated access to the router’s management interface. The combination of the two vulnerabilities — bypass authentication, then inject commands — provides unauthenticated remote code execution on affected devices.
Mass exploitation activity was first observed on 12 May 2026. Researchers tracking the campaign have identified 139 distinct attacking IP addresses, with attack traffic originating from scanning infrastructure associated with multiple threat actor clusters. Approximately 15,800 Four-Faith devices are internet-exposed and potentially vulnerable. The broad attack surface, simple exploitation chain, and industrial deployment context make this a high-priority issue for any organisation running Four-Faith equipment.
What attackers do post-compromise
Observed post-exploitation activity on compromised devices includes router recruitment into botnet infrastructure, credential harvesting from device configuration stores (which often contain upstream network credentials), and use of compromised devices as pivot points into connected OT networks. Industrial routers by design bridge IT and OT network segments — a compromised router with access to both segments is a significant lateral movement risk.
Immediate actions
Operators running Four-Faith F3x24 or F3x36 devices should:
- Apply available firmware updates from Four-Faith immediately
- Audit which Four-Faith devices are internet-facing and remove management interface exposure from the public internet
- Check router configuration stores for credentials that may have been accessible and rotate them
- Review network logging on segments connected to affected routers for anomalous lateral movement since 12 May
If patching is not immediately possible, move management interfaces behind a VPN or jump host and restrict administrative access to known-good source addresses.
Iranian Threat Actors and US Fuel ATG Systems
Parallel to the Four-Faith exploitation activity, a pattern of targeted attacks against Automatic Tank Gauge systems at US petrol stations has continued through May. ATG systems — most commonly Veeder-Root TLS4B units — monitor underground fuel storage tanks for inventory levels, temperature, and leak detection. They are safety-critical and are typically network-connected for remote monitoring.
A CNN investigation published 15 May documented a Tennessee-based petrol station chain hit with manipulation of ATG readings across 15 tanks. Iranian-linked threat actors — consistent with the CyberAv3ngers cluster previously attributed to attacks on Israeli water infrastructure and US municipal water systems — have been observed conducting automated scanning and exploitation of internet-exposed ATG management interfaces.
CISA published an ICS advisory for Veeder-Root TLS4B ATG systems in October 2025, flagging authentication weaknesses in the web management interface. The Energy Merchants Association issued a sector-level advisory on 14 April 2026 following escalation of observed attack activity. Neither advisory has driven the removal of exposed ATG systems from the internet at the pace required — Shodan data suggests several thousand TLS4B management interfaces remain publicly accessible.
Why ATG attacks matter beyond the obvious
Manipulation of ATG readings has two risk vectors. The first is direct — incorrect fuel inventory data can cause delivery and safety issues, and manipulation of leak detection thresholds could mask real leaks with environmental and regulatory consequences. The second is less obvious: ATG systems at petrol stations are often connected to the same network segments as payment systems, forecourt management, and in some cases wider corporate infrastructure. A compromised ATG system is a foothold, not just a disrupted sensor.
Immediate actions for fuel sector operators
- Verify that ATG management interfaces are not exposed to the internet — use Shodan or similar to check your own external footprint
- Apply the Veeder-Root firmware updates referenced in the CISA October 2025 advisory
- Segregate ATG systems onto dedicated network segments with no direct connectivity to payment or corporate systems
- Review ATG access logs for authentication attempts from unexpected sources since April
Both the Four-Faith and ATG campaigns underscore the same structural problem: internet-exposed OT and industrial management interfaces that were deployed without the assumption that they would be systematically targeted. The assumption has changed. The exposure has not.