In Bitaxe ESP-Miner before 2.5.0 with AxeOS, one can use an /api/system CSRF attack to update the payout address (aka stratumUser) for a Bitaxe Bitcoin miner, or change the frequency and voltage settings.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27579.json",
"cna_assigner": "mitre",
"cwe_ids": [
"CWE-352"
]
}"2026-07-10T12:43:48Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27579.json"
[
{
"id": "CVE-2025-27579-19199eed",
"digest": {
"function_hash": "117425552862137298526935218198231125166",
"length": 1232.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/bitaxeorg/ESP-Miner/commit/a04c00ba070dbfc61682041d944a6fa19857a90c",
"deprecated": false,
"target": {
"function": "POST_OTA_update",
"file": "main/http_server/http_server.c"
}
},
{
"id": "CVE-2025-27579-489bd141",
"digest": {
"function_hash": "265571103042195546018461074667353015781",
"length": 230.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/bitaxeorg/ESP-Miner/commit/a04c00ba070dbfc61682041d944a6fa19857a90c",
"deprecated": false,
"target": {
"function": "echo_handler",
"file": "main/http_server/http_server.c"
}
},
{
"id": "CVE-2025-27579-5939981a",
"digest": {
"function_hash": "60323486346228250491807775595365065620",
"length": 360.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/bitaxeorg/ESP-Miner/commit/a04c00ba070dbfc61682041d944a6fa19857a90c",
"deprecated": false,
"target": {
"function": "POST_restart",
"file": "main/http_server/http_server.c"
}
},
{
"id": "CVE-2025-27579-7a033fa9",
"digest": {
"line_hashes": [
"244480751629666037150751136806205757151",
"316904983237818168542589409205459908820",
"309711950232842657218859570914080482782",
"150949670518811521928811296487320271858",
"112083171654878446351641839830811321644",
"310798565217150351971400035009799501380",
"233950996322954054691024752580707747841",
"235928472145655116304906683654242108755",
"26266921249535457487984591073138173356",
"303642867104101915511706068300706874836",
"261873872586499361286900345671082496799",
"6962054176701614108283400373749323807",
"14417434479585042717693685468869744964",
"82254236559372802773756763330228900991",
"94990039587786496805187422887143094946",
"211760873473522476155867437517205349327",
"108844867524873268876896204133393964855",
"275617105441601736051415112197016623311",
"94990039587786496805187422887143094946",
"313729904756706155024813184276825739150",
"78661556131630815147330788907102687557",
"221807133318908885264603189335803568058",
"94990039587786496805187422887143094946",
"334494019112640453009840704173393527595",
"153266991967096988442243083416481736590",
"273227577416235618737018179325324323993",
"153757769438710393835270911781116060997",
"35339553768736063730373595651948821284",
"214751758919388070205014733279389248849",
"41740313964052717060159213196024128245",
"228889229866460249963318991802534970164",
"223637234917141591431817534876681992731",
"308519231509459201572675075685606244874",
"216115008552246272189239457407263773682",
"228889229866460249963318991802534970164",
"90152816905881810675568218936085706194",
"149974810021858003873197870255312501131",
"228456411310002017861349822379614985701",
"301376630698687632237995159713337218358",
"196482318245847967852794484650861766056",
"319522634840444472677612213755321351851",
"54557011006994140043663125532586401936",
"154268117566549786132837165816609920853",
"41924570408023754832004534886394135620",
"56759087805816061427060182268466130388",
"187242214249363096925585159420574847687",
"101320890716156579248618341970434834230",
"278615315591681044019535052804095168016",
"66447876209669114671042317859841199828",
"79406520790016592707102599220937696250",
"118467540477452073182500132635788277643",
"332108145343722433993413851444795115032",
"252459972544880466194047044084745085682",
"142315710902617605636022379444487367096",
"291285574437084175372178096596132414627",
"158915766063340010653644576787620431688",
"107823892661579332081885550483148047232",
"15977036628927854708550779872748587361",
"202453935545044043437634515641884154694",
"190102058106141950157460385929500640845",
"245145838584484110703471200302518624694",
"82001467412070861539734768953481439256",
"107217020745815151210979898857014146453",
"179178894147017638526092393792289894999",
"7759871166987334482016376353026149010",
"260764352898769237219443265881244044964",
"158740147832325934184739896211577404164",
"57025819999023023057714441841934147565",
"257658163608552965435604776797682196451",
"219100236309928304307302660507189386093",
"84938507811162920785700568830648095115",
"174679064364193363441935925382505360758",
"43054592422240898165508344753282931010"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/bitaxeorg/ESP-Miner/commit/a04c00ba070dbfc61682041d944a6fa19857a90c",
"deprecated": false,
"target": {
"file": "main/http_server/http_server.c"
}
},
{
"id": "CVE-2025-27579-9fec8917",
"digest": {
"function_hash": "227336434050099744843291763498585578864",
"length": 1202.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/bitaxeorg/ESP-Miner/commit/a04c00ba070dbfc61682041d944a6fa19857a90c",
"deprecated": false,
"target": {
"function": "POST_WWW_update",
"file": "main/http_server/http_server.c"
}
},
{
"id": "CVE-2025-27579-a5554b4f",
"digest": {
"function_hash": "316237739374606816369934663233422125448",
"length": 3197.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/bitaxeorg/ESP-Miner/commit/a04c00ba070dbfc61682041d944a6fa19857a90c",
"deprecated": false,
"target": {
"function": "PATCH_update_settings",
"file": "main/http_server/http_server.c"
}
},
{
"id": "CVE-2025-27579-bacc4a71",
"digest": {
"function_hash": "46076139298436731725707053249907169521",
"length": 120.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/bitaxeorg/ESP-Miner/commit/a04c00ba070dbfc61682041d944a6fa19857a90c",
"deprecated": false,
"target": {
"function": "rest_recovery_handler",
"file": "main/http_server/http_server.c"
}
},
{
"id": "CVE-2025-27579-c69fcb3e",
"digest": {
"function_hash": "274449569490518693246010528569340235907",
"length": 168.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/bitaxeorg/ESP-Miner/commit/a04c00ba070dbfc61682041d944a6fa19857a90c",
"deprecated": false,
"target": {
"function": "handle_options_request",
"file": "main/http_server/http_server.c"
}
},
{
"id": "CVE-2025-27579-fb1af45e",
"digest": {
"function_hash": "249567908091338272029416888894006408871",
"length": 4533.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/bitaxeorg/ESP-Miner/commit/a04c00ba070dbfc61682041d944a6fa19857a90c",
"deprecated": false,
"target": {
"function": "GET_system_info",
"file": "main/http_server/http_server.c"
}
}
]