Full Report
Monsta FTP is a web-based FTP client that let's users manage and transfer files on remote servers through the web browser. A vulnerability was found in it - making it an N-day, that they decided to review. Once of these was an arbitrary file upload that leads to RCE. An SSRF and RCE weren't initially fixed, although reported in the CVE database. After going through lots of lots of versions, they found some input validation functions that were trying to prevent path traversal. Hurray, they found the patch! The SSRF vulnerability that was reported still worked... so, was the RCE bug patched? Maybe the developers didn't understand what/where to patch. They were curious if the patch was sufficient. After looking at a large switch statement, they realized that DownloadFile didn't have any checks on it for directory traversal. By spinning up a malicious SFTP server that exploited the directory traversal, it allowed them to write the file to anywhere on the server. They don't mention an authentication bypass... but, they claim this leads to an unauthenticated RCE on Monsta FTP. For me, there are two takeaways. First, not all patches are sufficient. Second, many of the time there are other variants of vulnerabilities lurking if you check those out. Overall, a good blog post on finding security issues once issues are already known.
Analysis Summary
# Vulnerability: Pre-Authenticated Arbitrary File Write to RCE in Monsta FTP
## CVE Details
- **CVE ID:** CVE-2025-34299 (Legacy/Related: CVE-2022-27468, CVE-2022-31827, CVE-2022-27469)
- **CVSS Score:** 9.8 (Critical) - *Estimated based on unauthenticated RCE impact*
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- **Products:** Monsta FTP (Web-based FTP client)
- **Versions:** Versions prior to 2.11.3 (Specifically confirmed in 2.10.3 and 2.10.4; likely many versions in between)
- **Configurations:** Default installations using the `/mftp/` context path; publicly accessible instances.
## Vulnerability Description
The vulnerability stems from a lack of input validation and directory traversal protections within the `DownloadFile` action in the `api.php` component. While developers had attempted to apply path traversal patches to other functions, they failed to secure the download routine.
An attacker can provide a malicious remote (S)FTP server as the source. When Monsta FTP attempts to "download" a file from this malicious server, the server can return a filename containing directory traversal sequences (e.g., `../../`). Because the application does not sanitize the destination path, it writes the file to an arbitrary location on the local web server's filesystem, such as the web root, allowing for the execution of a malicious PHP shell.
## Exploitation
- **Status:** PoC available (Published by watchTowr Labs)
- **Complexity:** Medium (Requires standing up a malicious SFTP server)
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Full access to server files and databases)
- **Integrity:** High (Ability to modify any web application file)
- **Availability:** High (Potential for site defacement or deletion of system files)
## Remediation
### Patches
- **Upgrade to Monsta FTP v2.11.3** or later (Released August 26, 2025). This version specifically remediates the directory traversal in the download functionality.
### Workarounds
- Restrict access to the Monsta FTP interface via IP whitelisting or VPN.
- Disable the ability for the application to connect to untrusted/external SFTP servers if possible.
- Ensure the web server user (`www-data`) has highly restricted "write" permissions to the web root.
## Detection
- **Indicators of Compromise:**
- Presence of unexpected PHP files in the Monsta FTP directory (e.g., `index3.php` or similar randomly named shells).
- Web server logs showing `POST` requests to `/application/api/api.php` with `actionName` set to `fetchRemoteFile` or `DownloadFile` targeting unknown external IPs.
- **Detection Methods:** Audit file system integrity for modified PHP files and monitor outbound connections to non-trusted (S)FTP servers.
## References
- **Vendor Advisory:** [https://www.monstaftp.com/notes/](https://www.monstaftp.com/notes/)
- **Original Research:** [https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/](https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/)
- **CVE Record:** [https://www.cve.org/CVERecord?id=CVE-2025-34299](https://www.cve.org/CVERecord?id=CVE-2025-34299)