PT-2026-49099 · Nefteprodukttekhnika Llc · Buk Ts-G Gas Station Automation System

Qahramon Choriyev

+1

·

Published

2026-06-13

·

Updated

2026-06-13

·

CVE-2026-12183

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Nefteprodukttekhnika BUK TS-G Gas Station Automation System versions 2.9.1 through 2.10.2
Description An improper authentication issue exists in the system configuration module. The '/php/ajax-login.php' endpoint returns userid=1 (administrator) when receiving any HTTP POST request with arbitrary credentials via the login and pwd parameters. Furthermore, privileged endpoints under '/php/ajax-main.php' and '/modules/*' fail to validate server-side sessions. This allows a remote unauthenticated attacker to perform administrative actions, such as reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Missing Authentication

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12183

Affected Products

Buk Ts-G Gas Station Automation System