CVE-2026-12183 Overview
CVE-2026-12183 is an authentication bypass vulnerability in the Nefteprodukttekhnika BUK TS-G Gas Station Automation System, versions 2.9.1 through 2.10.2 on Linux. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request containing arbitrary credentials. Privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session, allowing remote unauthenticated attackers to invoke administrative actions. The flaw is categorized under CWE-287: Improper Authentication and carries a CVSS v4.0 score of 9.3.
Critical Impact
Remote unauthenticated attackers can read and modify fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, and pricing rules on affected gas station automation systems.
Affected Products
- Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 (Linux)
- Nefteprodukttekhnika BUK TS-G Gas Station Automation System versions 2.9.2 through 2.10.1 (Linux)
- Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.10.2 (Linux)
Discovery Timeline
- 2026-06-13 - CVE-2026-12183 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12183
Vulnerability Analysis
The BUK TS-G Gas Station Automation System exposes a web-based configuration module that fails to enforce authentication on privileged endpoints. The /php/ajax-login.php endpoint responds to any HTTP POST request containing action=dologin&login=<any_value>&pwd=<any_value> by returning an administrative user identifier of 1. The server does not validate the supplied credentials against any backend store.
Downstream endpoints under /php/ajax-main.php and the /modules/* directory do not verify a server-side session token before executing administrative actions. An attacker only needs to reach the web interface to gain administrator-equivalent access. The EPSS score for this vulnerability is 0.548% as of 2026-06-18.
Root Cause
The root cause is a missing server-side authentication check, combined with a login endpoint that hardcodes a successful administrator response. The application trusts client-supplied state and does not bind requests to validated sessions. This pattern overlaps with CWE-306: Missing Authentication for Critical Function.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends a single crafted POST request to /php/ajax-login.php, then issues administrative requests to /php/ajax-main.php or any handler under /modules/*. A proof-of-concept is publicly available via the GitHub PoC for Auth Bypass repository.
The vulnerability is described in prose only; refer to the linked proof-of-concept for protocol-level reproduction steps. Successful exploitation grants control over fuel tank gauges, dispensers, relays, cash registers, bank terminals, fuel cards, and price displays.
Detection Methods for CVE-2026-12183
Indicators of Compromise
- HTTP POST requests to /php/ajax-login.php containing action=dologin parameters from untrusted source addresses
- Server responses returning userid=1 to requests originating from external networks
- Unexpected configuration changes to fuel dispensers, tank gauges, or pricing rules in audit logs
- Sequential requests to /php/ajax-main.php or /modules/* endpoints without a preceding legitimate operator login
Detection Strategies
- Inspect web server access logs for POST requests to /php/ajax-login.php followed by rapid access to administrative module endpoints
- Deploy network intrusion detection signatures that match the action=dologin parameter pattern against the BUK TS-G login endpoint
- Correlate authentication events with downstream configuration changes to identify session-less administrative activity
Monitoring Recommendations
- Forward web server logs from BUK TS-G instances to a centralized logging platform for retention and correlation
- Alert on any access to the management interface from outside the operational technology (OT) management network
- Monitor for configuration drift on fuel pricing, dispenser configuration, and cash register settings
How to Mitigate CVE-2026-12183
Immediate Actions Required
- Remove BUK TS-G management interfaces from direct internet exposure and restrict access to trusted management subnets
- Place affected systems behind a network firewall or VPN gateway that enforces authentication before HTTP traffic reaches the application
- Audit all configuration data on affected systems for unauthorized modifications to pricing, dispensers, and access rules
Patch Information
Check the Bukts Repository Current Version for vendor updates addressing this issue. As of the last NVD modification date of 2026-06-17, no patched version is referenced in the CVE record. Operators running versions 2.9.1 through 2.10.2 should contact Nefteprodukttekhnika directly for remediation guidance.
Workarounds
- Restrict inbound HTTP access to the BUK TS-G web interface using host-based firewall rules permitting only known operator workstations
- Place a reverse proxy in front of the application that enforces independent authentication, such as mutual TLS or HTTP basic authentication tied to an external identity provider
- Segment the gas station automation network from corporate and external networks using dedicated VLANs and access control lists
- Disable remote access entirely on sites where local-only operation is acceptable
# Example iptables rule restricting access to a trusted management subnet
iptables -A INPUT -p tcp --dport 80 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

