CVE-2026-3843 in BUK TS-G Gas Station Automation System
Summary
by MITRE • 03/10/2026
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/15/2026
The Nefteprodukttekhnika BUK TS-G Gas Station Automation System represents a critical industrial control system deployed in petroleum infrastructure environments where operational technology security is paramount. This system version 2.9.1 operates on Linux platforms and serves as a foundational component for gas station automation processes including fuel dispensing, inventory management, and operational monitoring. The vulnerability resides within the system configuration module, which handles administrative functions and data processing operations that are essential for maintaining system integrity and operational continuity in critical infrastructure environments.
The technical flaw manifests as a classic SQL injection vulnerability classified under CWE-89, where the application fails to properly sanitize user input before incorporating it into database queries. Specifically, the /php/request.php endpoint processes HTTP POST requests containing application/x-www-form-urlencoded data with a sql parameter that directly influences database operations. When an attacker crafts malicious SQL commands within this parameter and submits them through the designated endpoint, the system processes these commands without adequate input validation or parameterization. This vulnerability exploitation pathway allows for arbitrary SQL command execution, which can be leveraged to manipulate database contents, extract sensitive information, or potentially escalate privileges within the system.
The operational impact of this vulnerability extends beyond simple database compromise as it represents a significant threat to industrial control system security and operational integrity. Remote code execution capabilities enable attackers to gain unauthorized access to system administrative functions, potentially leading to complete system compromise and operational disruption. In gas station automation environments, this could result in unauthorized fuel dispensing, inventory manipulation, transaction fraud, or complete system outages that affect critical infrastructure operations. The vulnerability's remote accessibility via HTTP POST requests means attackers can exploit it from external networks without requiring physical access to the facility, making it particularly dangerous for critical infrastructure protection.
Security professionals should implement immediate mitigations including input validation and parameterized queries to prevent SQL injection exploitation. Network segmentation and firewall rules should restrict access to the /php/request.php endpoint to trusted administrative networks only, while implementing web application firewalls to monitor and filter malicious requests. The system should be updated to a patched version that properly sanitizes all user inputs and employs prepared statements for database interactions. Additionally, regular security assessments should be conducted to identify similar vulnerabilities in industrial control system components, following standards such as nist sp 800-82 for industrial control systems security. This vulnerability demonstrates the critical need for robust security practices in operational technology environments where traditional cybersecurity measures must be adapted for industrial protocols and operational requirements, aligning with attack patterns documented in the mitre attack framework for industrial control systems.