CVE-2025-34299

Published Nov 7, 2025

Last updated 3 months ago

CVSS critical 9.3
Port (21)

Overview

Description
Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.
Source
disclosure@vulncheck.com
NVD status
Analyzed
Products
monsta_ftp

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

disclosure@vulncheck.com
CWE-434

Social media

Hype score
Not currently trending

  1. What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) #MonstaFTP #RemoteCodeExecution #ZeroDay #CVE202534299 #VulnerabilityDiscovery https://t.co/Nj9bTdrBgc

    @reverseame

    6 Mar 2026

    561 Impressions

    1 Retweet

    1 Like

    3 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-34299 - Monsta FTP vulnerability https://t.co/Zn3qwTbkm0 https://t.co/DuQSuBfipn

    @CloudVirtues

    29 Dec 2025

    56 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CVE-2025-34299 - critical 🚨 Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution > Monsta FTP = 2.11 contains an unrestricted file upload vulnerability caused by lack o... 👾 https://t.co/fs3o1UKjzU @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    11 Dec 2025

    204 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  4. CVE-2025-34299 - Monsta FTP vulnerability https://t.co/Meu0ZROd8a https://t.co/iuPUeCmVDb

    @SirajD_Official

    6 Dec 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-34299 - Monsta FTP vulnerability https://t.co/RNINrDtuvu https://t.co/GbgDqZCRU2

    @IdentityJason

    4 Dec 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🛡️ New WAF update! We're now blocking critical remote code execution attempts targeting Monsta FTP (CVE-2025-34299) & boosting XSS detection coverage. Keep your sites secure! 🚀 https://t.co/A32igNjSuI

    @mveracf

    3 Dec 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-34299 - Monsta FTP vulnerability https://t.co/XvmM8SQSEt https://t.co/Svcvuu6uQR

    @PhotoZel

    2 Dec 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Cloudflare has released new WAF rule addressing the following CVE to enhance customer protection. Monsta FTP - Remote Code Execution (CVE-2025-34299) https://t.co/OJymnEevsB

    @Cloudforce_One

    1 Dec 2025

    3839 Impressions

    5 Retweets

    18 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  9. We have been sharing Monsta FTP CVE-2025-34299 (pre-auth RCE) vulnerable instances for the last few weeks. Unfortunately, we still see over 780 IPs vulnerable (version based check) instances daily. Most affected: US & Slovakia: https://t.co/x3mSy6MqZt https://t.co/pzy4zLibd

    @Shadowserver

    24 Nov 2025

    1913 Impressions

    7 Retweets

    15 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  10. A Python exploit has been released for a critical Monsta FTP RCE flaw (CVE-2025-34299). The bug allows arbitrary PHP code execution by exploiting the downloadFile function. https://t.co/NX4hV39ou2 https://t.co/zaeB2Kkgt2

    @the_yellow_fall

    19 Nov 2025

    318 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) - watchTowr Labs https://t.co/De0i8l69Vb

    @_r_netsec

    15 Nov 2025

    587 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  12. 🔥 Warning CVE-2025-34299: Unauthenticated File Upload Vulnerability in Monsta FTP​ 🌐️Exposed #Monsta FTP favicon in Criminal IP: ​ Query ➡️ favicon: -64a5a63​ https://t.co/NXViPNQ2tp​ ​ Key risk of CVE-2025-34299​: -Unauthorized Code Execution​ -Data

    @CriminalIP_US

    14 Nov 2025

    113 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨Monsta FTP リモートコード実行脆弱性(CVE-2025-34299, CVSS 9.3)警告​ Web ベースの FTP クライアント Monsta FTP v2.11 未満にて、認証不要の攻撃者が悪意ある (S)FTP サーバーを介して 任意ファイルをアップロード →

    @CriminalIP_JP

    14 Nov 2025

    92 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 🚨 Monsta FTP 원격 코드 실행 취약점(CVE-2025-34299) 경고 웹 기반 FTP 클라이언트 Monsta FTP v2.11 미만에서 인증 없이 임의 파일 업로드 → 서버 측 RCE가 가능한 치명적 취약점이 공개되었습니다. 🔎 Criminal IP 검색 쿼리:

    @CriminalIP_KR

    14 Nov 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Monsta FTP Vulnerability Exposed Thousands of Servers to Full Takeover (CVE-2025-34299) https://t.co/JLyvueozmo #patchmanagement

    @eyalestrin

    13 Nov 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨🚨CVE-2025-34299 (CVSS 9.3) — Monsta FTP: unauthenticated arbitrary file upload leading to remote code execution via a crafted file from a malicious (S)FTP server. Search by vul.cve Filter👉vul.cve="CVE-2025-34299" ZoomEye Dork👉app="Monsta FTP" 517 results found. Zo

    @zoomeye_team

    12 Nov 2025

    1679 Impressions

    8 Retweets

    29 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  17. CVE-2025-34299: Monsta FTP vulnerable a ejecución remota https://t.co/Z7Yj4Sxlig #Internet #Noticia #CiberSeguridad #Tecnología vía @unaaldia https://t.co/0dBxpeUVAK

    @Securizame

    11 Nov 2025

    281 Impressions

    2 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  18. برای برنامه Monsta که web-based FTP client می باشد ، آسیب پذیری با کد شناسایی CVE-2025-34299 و از نوع RCE منتشر شده است . برای امن سازی به نسخه v2.11.3 به روز رسانی نمایید. https://t.co/02kg

    @EthicalSafe

    10 Nov 2025

    33 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  19. 🚨 CVE-2025-34299: Monsta FTP Remote Code Execution A critical path traversal flaw in Monsta FTP lets attackers execute code without authentication. https://t.co/SFuulK7N8G #CyberSecurity #AppSec #Infosec #WebSecurity #ITSecurity #BugBounty #Hacking

    @pentestnews

    10 Nov 2025

    2 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  20. What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) - watchTowr Labs https://t.co/De0i8l69Vb

    @_r_netsec

    9 Nov 2025

    366 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  21. What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) - watchTowr Labs https://t.co/De0i8l69Vb

    @_r_netsec

    8 Nov 2025

    757 Impressions

    0 Retweets

    0 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  22. 🚨 New plugin: MonstaFtpVersionPlugin (CVE-2025-34299). MonstaFTP RCE vulnerability detection - versions < 2.11.3 affected. Results: https://t.co/cnbvDGldd8 https://t.co/LTLBBsolZd

    @leak_ix

    7 Nov 2025

    984 Impressions

    3 Retweets

    7 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  23. What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) - watchTowr Labs https://t.co/wsuinzg8Jm https://t.co/UjPWCE0Iir

    @secharvesterx

    7 Nov 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. CVE-2025-34299 Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code… https://t.co/pHmiDqb7FC

    @CVEnew

    7 Nov 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. csirt_it: ‼ #MonstaFTP: disponibile un #PoC per lo sfruttamento della CVE-2025-34299 Rischio: 🟠 Tipologia: 🔸 Remote Code Execution 🔗 https://t.co/5SYTP8xjry ⚠ Importante mantenere aggiornati i sistemi https://t.co/LA0EiKvKvP

    @Vulcanux_

    7 Nov 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.CVE-2026-28296
  2. The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.CVE-2026-27699
  3. The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.CVE-2026-3179
  4. Core FTP LE 2.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the account field with a large buffer. Attackers can create a text file with 20,000 repeated characters and paste it into the account field to cause the application to become unresponsive and require reinstallation.CVE-2020-37107
  5. ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access.CVE-2021-47865

References

Sources include official advisories and independent security research.