Search
Find a vulnerability
Search criteria
2 vulnerabilities by Nefteprodukttekhnika LLC
CVE-2026-12183 (GCVE-0-2026-12183)
Vulnerability from cvelistv5 – Published: 2026-06-13 17:36 – Updated: 2026-06-17 14:12
VLAI
Summary
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ciprobe/bukts_auth_bypass | exploitthird-party-advisory |
| https://bukts.ru/repo-bukts-current | vendor-advisory |
| https://cwe.mitre.org/data/definitions/287.html | technical-description |
| https://cwe.mitre.org/data/definitions/306.html | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nefteprodukttekhnika LLC | BUK TS-G Gas Station Automation System |
Affected:
2.9.1 , ≤ 2.10.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T17:16:46.158699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T17:16:58.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Configuration Module (\u041c\u043e\u0434\u0443\u043b\u044c: \u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430)"
],
"platforms": [
"Linux"
],
"product": "BUK TS-G Gas Station Automation System",
"vendor": "Nefteprodukttekhnika LLC",
"versions": [
{
"lessThanOrEqual": "2.10.2",
"status": "affected",
"version": "2.9.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qahramon Choriyev (ciprobe)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ziyovuddinov Muhammadyusuf"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The \u003ccode\u003e/php/ajax-login.php\u003c/code\u003e endpoint returns \u003ccode\u003euserid=1\u003c/code\u003e (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., \u003ccode\u003eaction=dologin\u0026amp;login=\u0026lt;any_value\u0026gt;\u0026amp;pwd=\u0026lt;any_value\u0026gt;\u003c/code\u003e), and subsequent privileged endpoints under \u003ccode\u003e/php/ajax-main.php\u003c/code\u003e and \u003ccode\u003e/modules/*\u003c/code\u003e do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.\u003c/p\u003e"
}
],
"value": "Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin\u0026login=\u003cany_value\u003e\u0026pwd=\u003cany_value\u003e), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote unauthenticated attacker can perform any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers (TRK), relays, cash registers, bank terminals, fuel cards and local payment cards, price and customer displays, cash collection, and pricing rules. No valid credentials and no user interaction are required."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "An unauthenticated remote attacker reaches the BUK-TS Configuration Module login page, submits any password, and uses an HTTP-intercepting proxy to insert a userid field into the login response. The attacker is then granted full administrative access to the gas-station configuration interface, including control over fuel dispensers, tanks, relays, cash registers, and payment terminals."
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:12:42.686Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "BUK_TS_KILLER - Proof-of-concept exploit for the BUK TS-G authentication bypass",
"tags": [
"exploit",
"third-party-advisory"
],
"url": "https://github.com/ciprobe/bukts_auth_bypass"
},
{
"name": "Nefteprodukttekhnika BUK TS-G - Vendor distribution",
"tags": [
"vendor-advisory"
],
"url": "https://bukts.ru/repo-bukts-current"
},
{
"name": "CWE-287: Improper Authentication",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"name": "CWE-306: Missing Authentication for Critical Function",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/306.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_assigner_notes": "Vendor identified as Nefteprodukttekhnika LLC (BUK TS-G Gas Station Automation System) based on TuranSec CNA precedent CVE-2026-3843, which covers a SQL Injection / RCE in the same product. This authentication-bypass issue is confirmed present in 2.9.1 and 2.10.2 - the 2.10.2 release fixed the SQL Injection (CVE-2026-3843) but did not address this separate auth-bypass bug. defaultStatus remains \u0027unknown\u0027 pending vendor confirmation of a fixed version. CVSS scoring is aligned with CVE-2026-3843 (VC:H/VI:H/VA:H, SC:L/SI:L/SA:L) so internal CNA scoring stays consistent across the product family. Live target IP and hostname are intentionally omitted from this record.",
"x_author": "Qahramon Choriyev (ciprobe)",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-12183",
"datePublished": "2026-06-13T17:36:49.109Z",
"dateReserved": "2026-06-13T16:39:43.046Z",
"dateUpdated": "2026-06-17T14:12:42.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3843 (GCVE-0-2026-3843)
Vulnerability from cvelistv5 – Published: 2026-03-10 11:07 – Updated: 2026-03-10 14:10
VLAI
Title
SQL Injection in Nefteprodukttekhnika BUK TS-G Allows Remote Code Execution
Summary
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nefteprodukttekhnika LLC | BUK TS-G Gas Station Automation System |
Affected:
2.9.1 , < 2.10.2
(semver)
Unaffected: 2.10.2 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:48:47.389155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:48:53.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "BUK TS-G Gas Station Automation System",
"vendor": "Nefteprodukttekhnika LLC",
"versions": [
{
"lessThan": "2.10.2",
"status": "affected",
"version": "2.9.1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.10.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yergashvoyev Jamshed (CVE GUY)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do\u0026amp;sql=\u0026lt;query_here\u0026gt;\u0026amp;reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.\u003c/p\u003e"
}
],
"value": "Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do\u0026sql=\u003cquery_here\u003e\u0026reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:10:41.086Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"url": "https://bukts.ru/repo-bukts-current"
},
{
"url": "https://bdu.fstec.ru/vul/2025-13914"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SQL Injection in Nefteprodukttekhnika BUK TS-G Allows Remote Code Execution",
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-3843",
"datePublished": "2026-03-10T11:07:07.393Z",
"dateReserved": "2026-03-09T18:20:17.516Z",
"dateUpdated": "2026-03-10T14:10:41.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}