Monsta Web FTP RCE Vulnerability Actively Exploited in the Wild
The vulnerability allows unauthenticated attackers to execute arbitrary code on affected servers by leveraging a path traversal flaw during file downloads.
Monsta FTP, which powers over 5,000 Internet-facing instances, contains a dangerous combination of design flaws.
The application accepts user-controlled file paths through its API endpoint at /mftp/application/api/api.php without proper validation.
Attackers can manipulate the localPath parameter in download requests to write arbitrary files to any location on the web server.
The attack chain is straightforward: trick Monsta FTP into connecting to an attacker-controlled SFTP server, have it download a malicious payload, then write that file to a web-accessible directory such as /var/www/html/mftp/.
This results in immediate code execution with web server privileges.
Security researchers discovered this vulnerability in August 2025 and disclosed it responsibly to Monsta FTP developers. ]
The vulnerability remained unfixed across multiple versions, including 2.10.3, 2.10.4, and initially 2.11. Patches were released in version 2.11.3 on August 26, 2025, followed by CVE-2025-34299 assignment on November 4, 2025.
The vulnerability is particularly concerning because it requires no authentication and affects organizations across financial services, enterprises, and individual users who rely on Monsta FTP for remote file management.
| CVE ID | Affected Versions | Type | Severity | Status |
|---|---|---|---|---|
| CVE-2025-34299 | 2.10.3 – 2.11.2 | Remote Code Execution | Critical | Patched in 2.11.3 |
Organizations running Monsta FTP should update to version 2.11.3 or later immediately. Additionally, implement network segmentation and restrict API endpoint access to trusted IP addresses.
Monitor web server logs for suspicious file write operations to /mftp/ directories.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post Monsta Web FTP RCE Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.
The latest Nite to Unite fundraiser raised $1.15 million to support undergraduate scholarships and grants…
It takes more than a single speaker to reproduce an entire soundstage. That's where Sonos'…
The team behind the now-cancelled Buffy the Vampire Slayer reboot was told by Hulu that…
Free-to-play anime open-world RPG The Seven Deadly Sins: Origin is available to play now on…
We’ve got an unlikely remake on our hands: Bloodsport, the 1988 martial arts movie starring…
The Unique Identification Authority of India (UIDAI) has introduced its first structured bug bounty programme…
This website uses cookies.