{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-12183: Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-12183","status":"final","version":"1","initial_release_date":"2026-06-13T17:36:49.109Z","current_release_date":"2026-06-13T17:41:00.118Z","revision_history":[{"date":"2026-06-13T17:36:49.109Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-12183 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-12183"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-12183"},{"category":"external","summary":"BUK_TS_KILLER - Proof-of-concept exploit for the BUK TS-G authentication bypass","url":"https://github.com/ciprobe/bukts_auth_bypass"},{"category":"external","summary":"Nefteprodukttekhnika BUK TS-G - Vendor distribution","url":"https://bukts.ru/repo-bukts-current"},{"category":"external","summary":"CWE-287: Improper Authentication","url":"https://cwe.mitre.org/data/definitions/287.html"},{"category":"external","summary":"CWE-306: Missing Authentication for Critical Function","url":"https://cwe.mitre.org/data/definitions/306.html"}]},"product_tree":{"branches":[{"category":"vendor","name":"Nefteprodukttekhnika LLC","branches":[{"category":"product_name","name":"BUK TS-G Gas Station Automation System","branches":[{"category":"product_version_range","name":">=2.9.1 <=2.10.2","product":{"name":"Nefteprodukttekhnika LLC BUK TS-G Gas Station Automation System >=2.9.1 <=2.10.2","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:nefteprodukttekhnika_llc:buk_ts-g_gas_station_automation_system:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-12183","title":"Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2","notes":[{"category":"description","text":"Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L","baseScore":9.3,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}