CVE-2026-12183 describes an improper authentication vulnerability (CWE-287) in Nefteprodukttekhnika LLC's BUK TS-G Gas Station Automation System versions 2.9.1 through 2.10.2 on Linux. The vulnerability exists because the /php/ajax-login.php endpoint returns a fixed administrator userid (userid=1) in response to any HTTP POST request with arbitrary credentials. Additionally, subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate server-side sessions, enabling remote unauthenticated attackers to invoke administrative actions. These actions include reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules. The CVSS 4.0 base score is 9.3, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can gain full administrative control over the gas station automation system. This includes the ability to read and modify sensitive configuration data and control critical hardware components such as fuel dispensers and cash registers. Such control could disrupt fuel station operations, cause financial losses, and potentially endanger safety by manipulating fuel dispensing and related systems.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is currently documented. Until a patch is available, restrict network access to the affected endpoints and monitor for unauthorized access attempts. Implement network-level controls to limit exposure of the vulnerable system to untrusted networks.