CVE-2021-40903

CRITICAL

antminer_monitor 0.50.0 - Use of Hard-coded Credentials in Flask Settings File

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-40903. PoCs published by Vulnz, vulnz.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass in Antminer Monitor 0.5.0 by leveraging a static secret key in the Flask settings file. The PoC provides a method to generate a valid session cookie using the known secret key, granting admin access.

Description

A vulnerability in Antminer Monitor 0.50.0 exists because of backdoor or misconfiguration inside a settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static.

Exploits (2)

exploitdb WORKING POC

by Vulnz · textwebappsmultiple

https://www.exploit-db.com/exploits/50267

View Code ZIP pw:eip

This exploit demonstrates an authentication bypass in Antminer Monitor 0.5.0 by leveraging a static secret key in the Flask settings file. The PoC provides a method to generate a valid session cookie using the known secret key, granting admin access.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Antminer Monitor 0.5.0

No auth needed

Prerequisites: Access to the target application · Flask-unsign tool

MITRE ATT&CK

T1110.001 - Password Guessing T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by vulnz · poc

https://github.com/vulnz/CVE-2021-40903

View Code ZIP pw:eip

This PoC demonstrates an authentication bypass in Antminer Monitor 0.5.0 by exploiting a static secret key in the Flask settings file. The exploit uses the 'flask-unsign' tool to generate a valid admin session cookie, allowing unauthorized access.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Antminer Monitor 0.5.0

No auth needed

Prerequisites: Access to the target application · Flask-unsign tool

MITRE ATT&CK

T1189 - Drive-by Compromise T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/50267

Product x_refsource_misc

https://github.com/anselal/antminer-monitor

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/164048/Antminer-Monitor-0.5.0-Authentication-Bypass.html

Scores

CVSS v3 9.8

EPSS 0.0440

EPSS Percentile 90.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-798

Status published

Products (1)

antminer_monitor_project/antminer_monitor 0.50.0

Published Jun 17, 2022

Tracked Since Feb 18, 2026