CVE-2025-27579

Description

In Bitaxe ESP-Miner before 2.5.0 with AxeOS, one can use an /api/system CSRF attack to update the payout address (aka stratumUser) for a Bitaxe Bitcoin miner, or change the frequency and voltage settings.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

Low

Affected products

Bitaxe / ESP-MIner0 – 2.5.0

References

MISChttps://snotra.uk/axeos-csrf-vulnerability.html
MISChttps://www.nobsbitcoin.com/bitaxe-firmware-esp-miner-v2-5-0/
PATCHhttps://github.com/skot/ESP-Miner/pull/637