CVE-2025-27579

In Bitaxe ESP-Miner before 2.5.0 with AxeOS, one can use an /api/system CSRF attack to update the payout address (aka stratumUser) for a Bitaxe Bitcoin miner, or change the frequency and voltage settings.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/skot/ESP-Miner/pull/637
https://snotra.uk/axeos-csrf-vulnerability.html
https://www.nobsbitcoin.com/bitaxe-firmware-esp-miner-v2-5-0/
https://snotra.uk/axeos-csrf-vulnerability.html

Configurations

No configuration.

History

04 Mar 2025, 19:15

Type	Values Removed	Values Added
References	~~() https://snotra.uk/axeos-csrf-vulnerability.html -~~	() https://snotra.uk/axeos-csrf-vulnerability.html -
Summary		(es) En Bitaxe ESP-Miner anterior a 2.5.0 con AxeOS, se puede usar un ataque CSRF /api/system para actualizar la dirección de pago (también conocida como stratumUser) para un minero de Bitcoin de Bitaxe, o cambiar la configuración de frecuencia y voltaje.

03 Mar 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-03 00:15

Updated : 2025-03-04 19:15

NVD link : CVE-2025-27579

Mitre link : CVE-2025-27579

CVE.ORG link : CVE-2025-27579

JSON object : View

Products Affected

No product.

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

5.4 /10