HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12183Published Modified CNA TuranSec

CVE-2026-12183: Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An improper authentication vulnerability affects the BUK TS-G Gas Station Automation System versions 2.9.1 through 2.10.2 on Linux. The login endpoint accepts any credentials and returns an administrator session token, while privileged endpoints perform no server-side session validation, meaning a remote attacker with no account can immediately act as administrator. Successful exploitation gives full read and write access to the automation system, including fuel tank gauges, dispensers, pricing rules, cash registers, and bank terminals. No fix version has been published; HarborGuard tracks this advisory and will make a patched rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-12183 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the BUK TS-G software stack. Any image running an affected version (2.9.1 through 2.10.2) will surface a finding immediately.

Available
Triage

HarborGuard scores this vulnerability at CVSS 9.3 Critical and weights findings against each customer organization's compliance policy to determine urgency and routing. Triage output is delivered to the inbox or ticketing integration configured for the affected environment, ensuring the right team sees the alert without manual triage overhead.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, compensating-control recommendations (network-policy isolation, egress filtering, and blocking external access to the /php/ and /modules/ paths) are surfaced alongside the finding for customers who opt into advisory guidance.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to reach the host's HTTP service to send a crafted POST request.

  • AuthenticationNot required

    No credentials are needed; the endpoint accepts any arbitrary login and password values and returns an administrator session.

  • Victim interactionNot required

    The attacker interacts directly with the server-side endpoint and requires no action from any user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental dependencies are involved.

Blast Radius

  • Attacker reads all administrator-level configuration data, including user accounts, fuel card records, customer pricing rules, and cash-collection logs.
  • Attacker modifies fuel tank gauge readings, dispenser settings, and pricing rules, enabling direct financial manipulation of fuel sales.
  • Attacker reconfigures or toggles relays, cash registers, and bank terminals, disrupting point-of-sale operations at the affected station.
  • Full Confidentiality, Integrity, and Availability impact is confirmed on the vulnerable system; adjacent systems (SC:L, SI:L, SA:L) face limited but non-zero spillover risk.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-12183, HarborGuard continuously monitors the advisory and will trigger a patched-image rebuild the moment a fix version is published, with auto-remediation customers receiving a regression-test run and a PR opened against affected workloads automatically. While no fix is available, HarborGuard surfaces compensating-control guidance alongside each finding: restrict network access to the BUK TS-G host so that the /php/ajax-login.php, /php/ajax-main.php, and /modules/* paths are reachable only from trusted management networks; apply egress filtering to limit lateral reach from a compromised host; and consider feature-flag or firewall gating to disable the HTTP configuration interface entirely if remote administration is not operationally required. Customers with compliance policies that flag unauthenticated-admin vulnerabilities at Critical severity will receive expedited routing through their configured escalation path.

See how HarborGuard automates this
Affected packages
  • Nefteprodukttekhnika LLC / BUK TS-G Gas Station Automation System
    ≤ 2.10.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
References