CVE-2026-12183

Vulnerability

The BUK TS-G Gas Station Automation System (versions 2.9.1 through 2.10.2 on Linux) contains an improper authentication vulnerability in its system configuration module. The /php/ajax-login.php endpoint always returns userid=1 (administrator) in response to any HTTP POST request, regardless of supplied credentials [1][2]. Subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate server-side sessions, allowing unrestricted access to all administrative functions [1][2].

Exploitation

An unauthenticated attacker with network access to the system can send an HTTP POST request to /php/ajax-login.php with arbitrary login and pwd parameters (e.g., action=dologin&login=test&pwd=test). The endpoint responds with userid=1, granting administrator privileges. The attacker can then directly call any endpoint under /php/ajax-main.php or /modules/* without further authentication [1][3]. No user interaction or special network position beyond standard HTTP reachability is required.

Impact

Successful exploitation provides full administrative control over the gas station automation system [1]. An attacker can read and modify user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules [1]. This can lead to operational disruption, financial fraud, and potential safety hazards due to tampering with fuel dispensing equipment.

Mitigation

As of the publication date (2026-06-13), no official patch has been released. The vendor, Nefteprodukttekhnika, has not publicly addressed the vulnerability [3]. Users should restrict network access to the administrative web interface (e.g., via firewall rules or placing the system on a segregated management network) until an official fix is available [3]. The affected product is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.