CVE-2026-3843

Nefteprodukttekhnika · BUK TS-G Gas Station Automation System

The Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 is vulnerable to SQL injection in its configuration module, potentially allowing remote code execution via the sql parameter.

Executive summary

The Nefteprodukttekhnika BUK TS-G automation system contains a critical SQL injection vulnerability allowing remote code execution through malicious HTTP requests.

Vulnerability

The application improperly sanitizes the sql parameter in the /php/request.php endpoint, allowing an unauthenticated remote attacker to inject and execute arbitrary SQL commands.

Business impact

With a CVSS score of 9.8, this vulnerability poses a severe threat to industrial control environments. Successful exploitation allows an attacker to manipulate the underlying database, potentially leading to unauthorized control over gas station operations, data theft, or remote code execution on the server hosting the automation software.

Remediation

Immediate Action: Update the BUK TS-G software to the latest version that addresses the SQL injection flaw in the configuration module.

Proactive Monitoring: Monitor HTTP access logs for requests to /php/request.php containing suspicious SQL syntax or anomalous parameter values.

Compensating Controls: Restrict network access to the automation system to authorized personnel only and utilize a WAF to filter malicious POST requests targeting the application.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability could result in significant operational disruption within critical infrastructure. Organizations using the BUK TS-G system must prioritize applying the relevant software updates to eliminate the SQL injection vector immediately.