CVE-2026-3843 identifies a critical SQL Injection vulnerability (CWE-89) in version 2.9.1 of the BUK TS-G Gas Station Automation System developed by Nefteprodukttekhnika LLC, deployed on Linux platforms. The vulnerability resides in the system configuration module, specifically in the /php/request.php endpoint, which accepts HTTP POST requests with application/x-www-form-urlencoded data. The 'sql' parameter within these requests is not properly sanitized or neutralized, allowing an attacker to inject arbitrary SQL commands. By exploiting this flaw, a remote attacker without any authentication can execute malicious SQL queries against the backend database. This can lead to unauthorized data access, data manipulation, and potentially escalate to remote code execution on the host system. The vulnerability's CVSS v3.1 base score is 9.8, reflecting its critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. The lack of available patches or mitigations at the time of disclosure increases the urgency for affected organizations to implement compensating controls. Given the product's role in automating gas station operations, exploitation could disrupt fuel dispensing, financial transactions, and operational safety controls.

The impact of CVE-2026-3843 is severe for organizations operating the BUK TS-G Gas Station Automation System. Successful exploitation can lead to complete compromise of the gas station's automation infrastructure, including unauthorized access to sensitive operational data and manipulation of system configurations. This can result in financial losses due to fraudulent transactions or fuel theft, operational disruptions causing service outages, and safety risks if control systems are tampered with. The potential for remote code execution elevates the threat to full system takeover, enabling attackers to deploy malware, pivot within internal networks, or cause physical damage. Given the critical nature of energy infrastructure, such an attack could have cascading effects on supply chains and public safety. The vulnerability's ease of exploitation without authentication or user interaction broadens the attack surface, increasing the likelihood of targeted attacks or automated exploitation attempts once details become public.

To mitigate CVE-2026-3843, organizations should immediately restrict external network access to the affected /php/request.php endpoint by implementing firewall rules or network segmentation to limit exposure. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'sql' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters that interact with databases. If possible, upgrade to a patched version of the BUK TS-G system once available from the vendor. In the absence of patches, consider deploying database activity monitoring to detect anomalous queries and implement least privilege principles on database accounts to limit damage from injection attacks. Regularly audit logs for suspicious activity and prepare incident response plans specific to gas station automation systems. Engage with the vendor for timely updates and guidance. Additionally, isolate critical control systems from general IT networks to reduce lateral movement risks.