A critical authentication bypass vulnerability in the Nefteprodukttekhnika BUK TS-G system allows unauthenticated attackers to gain full administrative control over gas station operations.

The system suffers from an improper authentication flaw (CWE-287) where the /php/ajax-login.php endpoint fails to validate credentials and improperly grants administrative access. Subsequent privileged endpoints do not validate server-side sessions, allowing a remote unauthenticated attacker to manipulate sensitive industrial components.

With a CVSS score of 9.8, this vulnerability poses an extreme risk to operational technology (OT) environments. An attacker could remotely manipulate fuel tank gauges, dispensers, cash registers, and pricing rules, potentially leading to significant financial loss, physical safety hazards at gas stations, and complete compromise of industrial control integrity.

Immediate Action: Update the BUK TS-G automation system to the latest version as specified in the vendor advisory.

Proactive Monitoring: Monitor network traffic for unauthorized access to the /php/ directory and review system logs for unexpected administrative changes or login attempts.

Compensating Controls: Isolate the automation system from the public internet using a firewall and ensure access is restricted to authorized VPN connections only.

Public Exploit Available: True

Given the critical severity and the availability of functional exploit code, this vulnerability represents an urgent threat to facility operations. Administrators must apply the vendor-provided updates immediately and verify that the affected systems are not exposed to the public internet.