CVE-2026-12183

CRITICAL

Nefteprodukttekhnika LLC Buk Ts-g Gas Station Automation System < 2.10.2 - Improper Authentication

Title source: rule
STIX 2.1

Description

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.

References (4)

Core 4
Core References
Exploit exploit third-party-advisory
BUK_TS_KILLER - Proof-of-concept exploit for the BUK TS-G authentication bypass
https://github.com/ciprobe/bukts_auth_bypass
Vendor Advisory vendor-advisory
Nefteprodukttekhnika BUK TS-G - Vendor distribution
https://bukts.ru/repo-bukts-current
Technical Description technical-description
CWE-287: Improper Authentication
https://cwe.mitre.org/data/definitions/287.html
Technical Description technical-description
CWE-306: Missing Authentication for Critical Function
https://cwe.mitre.org/data/definitions/306.html

Scores

CVSS v3 9.8
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-287 CWE-306
Status published
Products (1)
Nefteprodukttekhnika LLC/BUK TS-G Gas Station Automation System 2.9.1 - 2.10.2
Published Jun 13, 2026
Tracked Since Jun 14, 2026