Executive Summary
A critical authentication bypass vulnerability (CVE-2026-12183) has been identified in the BUK TS-G Gas Station Automation System developed by Nefteprodukttekhnika, affecting versions 2.9.1 through 2.10.2 running on Linux. The vulnerability carries a CVSS score of 9.8 — rated Critical.
The flaw resides in the system's configuration module login endpoint (/php/ajax-login.php), which returns userid=1 (administrator) in response to any HTTP POST request — regardless of credentials supplied. This means an unauthenticated attacker on the network can obtain full administrator access to a fuel dispensing and station management system without providing valid credentials.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-12183 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-287 — Improper Authentication |
| Type | Authentication Bypass |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Patch Available | Not confirmed at time of disclosure |
Affected Versions
| System | Affected Versions | Platform |
|---|---|---|
| BUK TS-G Gas Station Automation System | 2.9.1 through 2.10.2 | Linux |
Technical Analysis
Root Cause
The vulnerability exists in the system configuration module's login handler at /php/ajax-login.php. This PHP endpoint is responsible for authenticating users who access the administrative interface of the gas station automation system.
The critical flaw: the endpoint does not perform any credential validation. It returns userid=1 — the administrator account identifier — in response to any HTTP POST request to the endpoint, regardless of what data (if any) is submitted.
Attack Flow
1. Attacker identifies a BUK TS-G system reachable over the network (local or internet-facing)
2. Attacker sends any HTTP POST request to /php/ajax-login.php
POST /php/ajax-login.php HTTP/1.1
Host: [target-ip]
Content-Length: 0
3. Server responds with userid=1 (administrator)
4. Attacker receives administrator session token
5. Full administrative control of the gas station automation system achievedExploitation Conditions
- Vulnerable BUK TS-G system version (2.9.1–2.10.2) reachable over a network
- No credentials required
- No special tooling beyond basic HTTP client (curl, browser, etc.)
- Exploitation is trivially simple
Impact Assessment
Gas station automation systems manage critical operational functions including:
| Impact Area | Description |
|---|---|
| Fuel Dispensing Control | Admin access may allow modification of dispenser configurations |
| Tank Monitoring | Manipulation of automated tank level monitoring and alerts |
| Pricing Systems | Potential unauthorized modification of fuel pricing parameters |
| Safety Systems | Administrative access to safety interlock and emergency shutoff controls |
| Audit Logs | Ability to view, modify, or delete transaction and access logs |
| Network Pivot | Compromised ICS system may provide lateral movement opportunity within OT networks |
The real-world risk is amplified by the fact that ICS/OT systems are often networked with other critical infrastructure components, and administrative access to one system may provide a foothold into adjacent plant networks.
Immediate Remediation
Step 1: Identify Exposure
# Check if the system is reachable from untrusted networks
# From an external or DMZ host:
curl -X POST http://[target-ip]/php/ajax-login.php -v
# If response contains userid=1, system is vulnerable and accessibleStep 2: Network Isolation
Until a vendor patch is available:
- Immediately isolate BUK TS-G systems from untrusted network segments
- Implement firewall rules restricting access to the web interface to authorized management workstations only
- Disable internet-facing access if the administrative interface is exposed to the WAN
# Example iptables rule to restrict management access to specific admin hosts
iptables -A INPUT -p tcp --dport 80 -s [admin-workstation-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROPStep 3: Contact Vendor
Contact Nefteprodukttekhnika for a patched firmware or software update addressing CVE-2026-12183. Request confirmation of affected versions and availability of a fix.
Step 4: Monitor for Exploitation
# Review web server access logs for POST requests to the vulnerable endpoint
grep "POST /php/ajax-login.php" /var/log/apache2/access.log
# Look for requests from unexpected source IPs
grep "ajax-login" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rnDetection Indicators
| Indicator | Description |
|---|---|
POST requests to /php/ajax-login.php from unknown IPs | Direct exploitation attempt |
| Unexpected admin configuration changes | Post-exploitation activity |
| New user accounts created in the system | Persistence establishment |
| Unusual timing of access (outside business hours) | Unauthorized access session |
Post-Remediation Checklist
- Network isolation applied to all BUK TS-G systems immediately
- Vendor contacted and patch status confirmed
- Access logs reviewed for evidence of prior exploitation
- Administrative configurations audited for unauthorized changes
- Network segmentation hardened — ICS systems on isolated OT VLAN
- Monitoring deployed to alert on unexpected POST requests to login endpoints
- Patch applied once vendor releases an update