CVE-2026-12183
Received Received - Intake
Authentication Bypass in Nefteprodukttekhnika BUK TS-G Gas Station Automation System

Publication date: 2026-06-13

Last updated on: 2026-06-13

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-13
Last Modified
2026-06-13
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-12183
EUVD
EUVD-2026-36653
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nefteprodukttekhnika buk_ts-g_gas_station_automation_system From 2.9.1 (inc) to 2.10.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Authentication issue (CWE-287) in the Nefteprodukttekhnika BUK TS-G Gas Station Automation System versions 2.9.1 through 2.10.2 on Linux. The system's /php/ajax-login.php endpoint returns a userid=1 (administrator) response to any HTTP POST request with arbitrary credentials, effectively bypassing authentication. Additionally, privileged endpoints under /php/ajax-main.php and /modules/* do not validate server-side sessions, allowing a remote unauthenticated attacker to perform any administrative action exposed by the configuration module.

  • The attacker can read and modify user rules.
  • They can manipulate fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, and fuel cards.
  • They can alter price and customer displays, cash collection, and pricing rules.
Impact Analysis

This vulnerability allows a remote unauthenticated attacker to gain full administrative access to the gas station automation system without any valid credentials. This can lead to unauthorized control over critical system components such as fuel dispensers, pricing, cash registers, and user management.

  • Unauthorized modification of fuel prices and customer displays, potentially causing financial loss or fraud.
  • Manipulation of fuel tank gauges and dispensers, which could disrupt operations or cause safety hazards.
  • Access to sensitive user data and administrative functions, risking data confidentiality and integrity.
  • Potential disruption of cash collection and bank terminal operations, impacting revenue and transaction security.
Detection Guidance

This vulnerability can be detected by sending HTTP POST requests to the /php/ajax-login.php endpoint with arbitrary credentials and observing the response. If the response contains userid=1 (administrator) regardless of the credentials supplied, it indicates the presence of the improper authentication vulnerability.

A simple detection command using curl could be:

  • curl -X POST -d "action=dologin&login=test&pwd=test" http://<target-ip>/php/ajax-login.php

If the response includes userid=1 or similar administrator identifiers, it confirms the vulnerability. Further testing can include accessing privileged endpoints such as /php/ajax-main.php or /modules/* without valid authentication to verify if administrative actions can be performed.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoints by network controls such as firewalls or VPNs to limit exposure to trusted users only.

Additionally, disabling or restricting the /php/ajax-login.php and related administrative endpoints until a patch or update is applied can reduce risk.

Implementing proper authentication mechanisms on the server side to validate user credentials and sessions before allowing access to privileged functions is critical.

If possible, update the system to a fixed version beyond 2.10.2 where this vulnerability is addressed.

In the longer term, enforce strong authentication frameworks, session management, and multi-factor authentication to prevent similar issues.

Compliance Impact

The vulnerability allows remote unauthenticated attackers to perform any administrative action on the gas station automation system, including reading and modifying sensitive configuration data and operational controls. This unauthorized access can lead to breaches of confidentiality, integrity, and availability of critical system data.

Such unauthorized access and control over sensitive operational data and user information can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls, data protection, and accountability for sensitive information.

Specifically, improper authentication vulnerabilities like this one (CWE-287) undermine the enforcement of access controls, increasing the risk of data breaches and unauthorized data manipulation, which are key compliance concerns under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart