CVE 9.3 CRITICAL

CVE-2026-12183_CVE-2026-12183

June 13, 2026 invoker category_cve
9.3 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Description

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.

AI Analysis

Improper Authentication vulnerability in BUK TS-G Gas Station Automation System, allowing remote unauthenticated attackers to invoke administrative actions.

Basic Information

ID CVE-2026-12183
Source TuranSec
Published Jun 13, 2026 at 17:36
Modified Jun 13, 2026 at 17:41

Affected Product

Vendor Nefteprodukttekhnika LLC
Product BUK TS-G Gas Station Automation System
Version 2.9.1, 2.10.2
Affected Versions Nefteprodukttekhnika LLC BUK TS-G Gas Station Automation System 2.9.1

CWE Classification

CWE-287 CWE-306

AI Assessment

AI Score 9.3 / 10
AI Severity Critical
Vendor Nefteprodukttekhnika LLC
Product BUK TS-G Gas Station Automation System
Version 2.9.1, 2.10.2

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.