Full Report
Security researchers have discovered an actively exploited remote code execution vulnerability in Monsta FTP, a web-based FTP client used by financial institutions, enterprises, and individual users worldwide. The flaw, now tracked as CVE-2025-34299, affects versions up to 2.11.2 and allows attackers to execute arbitrary code on vulnerable servers without authentication. CVE ID Vulnerability Type Affected […] The post Monsta FTP Remote Code Execution Flaw Being Exploited in the Wild appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: Monsta FTP Remote Code Execution (RCE) Flaw
## CVE Details
- CVE ID: CVE-2025-34299
- CVSS Score: N/A (Not explicitly provided in the summary, but implied High seriousness due to RCE) (Severity: Critical/High based on impact)
- CWE: N/A (Remote Code Execution vulnerability class)
## Affected Systems
- Products: Monsta FTP (Web-based FTP client)
- Versions: Up to and including 2.11.2
- Configurations: Any deployed instance of the affected versions.
## Vulnerability Description
The vulnerability resides in Monsta FTP's `downloadFile` function, which processes file retrieval requests from external SFTP servers. Attackers can exploit this by sending a single, unauthenticated POST request. This request instructs the vulnerable Monsta FTP server to connect to an attacker-controlled malicious SFTP server, download a payload, and consequently write that payload to an arbitrary location on the target server's filesystem. If the payload is written to a web-accessible directory, the attacker can then execute arbitrary code, leading to a complete server compromise. Earlier fixes (in version 2.11) involving input validation in `inputValidator.php` were insufficient to mitigate this core flaw.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low (Requires a single, unauthenticated POST request)
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Potential for full data exfiltration)
- Integrity: High (Ability to execute arbitrary code and modify system files)
- Availability: High (Potential for system takeover or denial of service)
## Remediation
### Patches
- **Upgrade to Monsta FTP version 2.11.3 or a later release.** (Patch released on August 26, 2025)
### Workarounds
- Implement strict network segmentation and restrict external network access to the Monsta FTP application where possible.
- Apply rigorous access restrictions to the application endpoint.
## Detection
- **Indicators of Compromise (IOCs):** Look for outbound network connections originating from the Monsta FTP server initiated toward external, suspicious SFTP servers, especially if these connections precede file writes to web-accessible directories.
- **Detection methods and tools:** Monitor web/application logs for unusual POST requests targeting endpoints related to file downloading/retrieval functions; analyze server filesystem for new, unexpected files in public paths that might indicate a remote payload staging.
## References
- Vendor advisory (Implied Fix in v2.11.3 release notes)
- Initial research investigation: hxxps://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/
- CVE entry: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-34299