Description
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.
Published: 2026-06-13
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the system configuration module of the Nefteprodukttekhnika BUK TS-G Gas Station Automation System. A POST request to /php/ajax-login.php returns a userid of 1, granting administrator privileges regardless of supplied credentials. Subsequent calls to privileged endpoints under /php/ajax-main.php and /modules/ lack server-side session validation, providing unauthenticated users full administrative control.

Affected Systems

Affected are Linux installations of the BUK TS-G Gas Station Automation System from version 2.9.1 through 2.10.2. The control of these versions is commonly deployed at fuel dispensing establishments. The vulnerability is specific to the mentioned versions and does not affect earlier releases.

Risk and Exploitability

The CVSS score of 9.3 reflects a high severity with potential for full system compromise. Although the EPSS score is not available, the flaw is trivially exploitable via ordinary HTTP requests, and the system does not expose any defensive controls. The vulnerability is not listed in the CISA KEV catalog, so no known exploitation campaigns are currently documented, but the straightforward attack vector makes it attractive to threat actors. Attackers can manipulate fuel dispensers, relays, cash registers, bank terminals, and pricing displays, effectively taking complete control of a gas station's operations.

Generated by OpenCVE AI on June 13, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BUK TS-G Gas Station Automation System to a version that removes the insecure authentication flow.
  • Configure network firewalls or access controls to restrict external access to the /php/ajax-login.php, /php/ajax-main.php, and /modules/* endpoints.
  • Enforce session validation for all privileged endpoints, ensuring that an authenticated session token is required before any configuration changes or hardware controls are accepted.
  • Perform regular security assessments and penetration tests on the automation system to identify any remaining authentication holes.

Generated by OpenCVE AI on June 13, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Admin Access in Gas Station Automation System

Sat, 13 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.
Weaknesses CWE-287
CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-13T17:41:00.118Z

Reserved: 2026-06-13T16:39:43.046Z

Link: CVE-2026-12183

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T18:16:22.310

Modified: 2026-06-13T18:16:22.310

Link: CVE-2026-12183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T19:30:24Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-306

    Missing Authentication for Critical Function