Turpak Automatic Station Monitoring System CVE-2025-4040
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Turpak Automatic Station Monitoring System allows Privilege Escalation.
This issue affects Automatic Station Monitoring System: before 5.0.6.51.
AnalysisAI
Privilege escalation in Turpak Automatic Station Monitoring System versions prior to 5.0.6.51 allows authenticated remote attackers to bypass authorization controls by manipulating user-controlled keys (IDOR-style flaw). Authenticated low-privilege users can access or modify resources belonging to other accounts, including potentially higher-privileged ones. EPSS scores exploitation likelihood at 0.19% (41st percentile) and no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), a class of Insecure Direct Object Reference (IDOR) where the application uses client-supplied identifiers (such as user IDs, record IDs, or session tokens passed in URLs, parameters, or headers) to look up resources without verifying that the requesting user is authorized to access them. Turpak's Automatic Station Monitoring System is an industrial/fuel station telemetry and management platform used in Turkey, typically deployed to monitor automated fuel stations and dispense data. Because the system handles operational data for physical infrastructure, broken object-level authorization can let a low-privileged operator elevate to administrative functions by tampering with identifiers in API or web requests.
Affected ProductsAI
Turpak Automatic Station Monitoring System, all versions prior to 5.0.6.51, is affected. No CPE strings were provided in the available intelligence. Vendor and national-CERT advisories are published at https://www.usom.gov.tr/bildirim/tr-25-0165 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0165.
RemediationAI
Upgrade Turpak Automatic Station Monitoring System to version 5.0.6.51 or later, which is identified as the first fixed release per the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0165. If immediate patching is not feasible, restrict network access to the monitoring system to trusted management VLANs or VPN-only access to reduce the population of users who can authenticate (trade-off: may interfere with remote station operations), enforce strict least-privilege on application accounts and review/rotate low-privilege credentials, and enable detailed audit logging on object-access endpoints to detect anomalous identifier enumeration (trade-off: increased log volume). Until upgraded, treat all authenticated low-privilege accounts as potential vectors and monitor for unusual cross-tenant or cross-user resource access patterns.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today