Skip to main content

Turpak Automatic Station Monitoring System CVE-2025-4040

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-07-21 iletisim@usom.gov.tr
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 18:39 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Turpak Automatic Station Monitoring System allows Privilege Escalation.

This issue affects Automatic Station Monitoring System: before 5.0.6.51.

AnalysisAI

Privilege escalation in Turpak Automatic Station Monitoring System versions prior to 5.0.6.51 allows authenticated remote attackers to bypass authorization controls by manipulating user-controlled keys (IDOR-style flaw). Authenticated low-privilege users can access or modify resources belonging to other accounts, including potentially higher-privileged ones. EPSS scores exploitation likelihood at 0.19% (41st percentile) and no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), a class of Insecure Direct Object Reference (IDOR) where the application uses client-supplied identifiers (such as user IDs, record IDs, or session tokens passed in URLs, parameters, or headers) to look up resources without verifying that the requesting user is authorized to access them. Turpak's Automatic Station Monitoring System is an industrial/fuel station telemetry and management platform used in Turkey, typically deployed to monitor automated fuel stations and dispense data. Because the system handles operational data for physical infrastructure, broken object-level authorization can let a low-privileged operator elevate to administrative functions by tampering with identifiers in API or web requests.

Affected ProductsAI

Turpak Automatic Station Monitoring System, all versions prior to 5.0.6.51, is affected. No CPE strings were provided in the available intelligence. Vendor and national-CERT advisories are published at https://www.usom.gov.tr/bildirim/tr-25-0165 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0165.

RemediationAI

Upgrade Turpak Automatic Station Monitoring System to version 5.0.6.51 or later, which is identified as the first fixed release per the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0165. If immediate patching is not feasible, restrict network access to the monitoring system to trusted management VLANs or VPN-only access to reduce the population of users who can authenticate (trade-off: may interfere with remote station operations), enforce strict least-privilege on application accounts and review/rotate low-privilege credentials, and enable detailed audit logging on object-access endpoints to detect anomalous identifier enumeration (trade-off: increased log volume). Until upgraded, treat all authenticated low-privilege accounts as potential vectors and monitor for unusual cross-tenant or cross-user resource access patterns.

Share

CVE-2025-4040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy