EUVD-2026-36653
GHSA-4vgc-3whg-978w
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Endpoint is network-reachable and the login bypass is trivial (AV:N/AC:L/PR:N/UI:N); full admin control over the application yields C:H/I:H/A:H with no scope change to a separate security authority.
Primary rating from Vendor (309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c).
CVSS VectorVendor: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.
Articles & Coverage 1
AnalysisAI
Remote unauthenticated authentication bypass in Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux allows any HTTP client to obtain administrator-level access by POSTing arbitrary credentials to /php/ajax-login.php, which unconditionally returns userid=1. Downstream privileged endpoints under /php/ajax-main.php and /modules/* fail to validate a server-side session, exposing full control over fuel dispensers, tank gauges, pricing, POS, bank terminals, and relays. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of BUK TS-G 2.9.1 through 2.10.2 on Linux. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals converge on critical, immediately exploitable risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the station's web interface - for example through an exposed cellular router, misconfigured site-to-site VPN, or an internet-facing management IP - sends a single HTTP POST to /php/ajax-login.php with action=dologin&login=x&pwd=x, receives userid=1, and then drives /php/ajax-main.php and /modules/* to alter fuel pricing, dump fuel-card data, manipulate tank gauges, or toggle dispenser relays. Given the public PoC repository referenced by NVD, exploitation is reducible to a handful of curl commands and requires no specialized tooling. |
| Remediation | No vendor-released patch identified at time of analysis - the NVD references point only to the vendor repository (https://bukts.ru/repo-bukts-current) and a researcher PoC (https://github.com/ciprobe/bukts_auth_bypass), not a fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct immediate inventory of all BUK TS-G systems and identify any running versions 2.9.1 through 2.10.2; implement network-level access restrictions on /php/ajax-login.php and /php/ajax-main.php endpoints; deploy monitoring for suspicious POST requests to these endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today