PT-2026-49099 · Nefteprodukttekhnika Llc · Buk Ts-G Gas Station Automation System
Qahramon Choriyev
+1
·
Published
2026-06-13
·
Updated
2026-06-13
·
CVE-2026-12183
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nefteprodukttekhnika BUK TS-G Gas Station Automation System versions 2.9.1 through 2.10.2
Description
An improper authentication issue exists in the system configuration module. The '/php/ajax-login.php' endpoint returns
userid=1 (administrator) when receiving any HTTP POST request with arbitrary credentials via the login and pwd parameters. Furthermore, privileged endpoints under '/php/ajax-main.php' and '/modules/*' fail to validate server-side sessions. This allows a remote unauthenticated attacker to perform administrative actions, such as reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Missing Authentication
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Buk Ts-G Gas Station Automation System