CVE-2025-34299 – CVE-2025-34299 is an unauthenticated arbitrary ... (How to Fix)

Q: What is the severity of CVE-2025-34299?

CVE-2025-34299 has a CVSS score of 9.8 (CRITICAL). CVE-2025-34299 is an unauthenticated arbitrary file upload vulnerability in Monsta FTP versions 2.11 and earlier. Attackers can exploit this by connecting from a malicious FTP/SFTP server to upload arbitrary files, leading to remote code execution. Organizations using vulnerable Monsta FTP installations are affected.

📋 TL;DR

CVE-2025-34299 is an unauthenticated arbitrary file upload vulnerability in Monsta FTP versions 2.11 and earlier. Attackers can exploit this by connecting from a malicious FTP/SFTP server to upload arbitrary files, leading to remote code execution. Organizations using vulnerable Monsta FTP installations are affected.

💻 Affected Systems

Products:

Monsta FTP

Versions: 2.11 and earlier

Operating Systems: All platforms where Monsta FTP runs

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Monsta Ftp by Monstaftp

View all CVEs affecting Monsta Ftp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, data exfiltration, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to web shell installation, data theft, and potential use as an initial access vector for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, file upload restrictions, and monitoring are in place, though the vulnerability remains dangerous.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and can be exploited remotely, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to attackers who gain initial access to the network or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attackers only need to connect from a malicious FTP/SFTP server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12 or later

Vendor Advisory: https://www.monstaftp.com/notes/

Restart Required: Yes

Instructions:

1. Download Monsta FTP version 2.12 or later from the official website. 2. Backup your current installation. 3. Replace the existing files with the updated version. 4. Restart the web server/service.

🔧 Temporary Workarounds

Disable Monsta FTP

all

Temporarily disable Monsta FTP until patching is possible

# For Apache: sudo a2dissite monstaftp.conf
# For Nginx: rm /etc/nginx/sites-enabled/monstaftp
# Or move the Monsta FTP directory: mv /var/www/monstaftp /var/www/monstaftp_disabled

Restrict Network Access

linux

Limit access to Monsta FTP using firewall rules

# iptables example: sudo iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
# iptables example: sudo iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
# Then: sudo iptables -A INPUT -p tcp --dport 80 -j DROP
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Monsta FTP instances from critical systems
Deploy a web application firewall (WAF) with rules to block file upload patterns and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check the Monsta FTP version in the admin interface or by examining the source code files. Look for version numbers 2.11 or lower.

Check Version:

grep -r 'version' /path/to/monstaftp/installation/ | grep -i '2.11\|2.10\|2.9'

Verify Fix Applied:

Verify the version has been updated to 2.12 or later in the admin interface. Test that file uploads from untrusted FTP/SFTP servers are properly restricted.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to Monsta FTP directories
Suspicious FTP/SFTP connection attempts from unknown IPs
Web shell creation in web-accessible directories
Execution of unexpected PHP or other script files

Network Indicators:

Outbound connections from Monsta FTP server to unknown IPs
Unusual spikes in traffic to Monsta FTP port
File upload requests containing executable content

SIEM Query:

source="monstaftp.log" AND (event="file_upload" AND file_extension IN ("php", "jsp", "asp", "exe")) OR (event="connection" AND source_ip NOT IN (trusted_ips))

📊 Metadata

CVE ID: CVE-2025-34299

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 57.4% exploit probability (98.1th percentile)

Published: November 7, 2025

Last Updated: December 10, 2025

🔗 References

https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/ Exploit,Third Party Advisory
https://www.monstaftp.com/notes/ Release Notes
https://www.vulncheck.com/advisories/monsta-ftp-unauthenticated-arbitrary-file-upload Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34299, you might also want to check these: