Back

Monsta FTP Under Fire: Understanding and Mitigating CVE-2025-34299

Publication date: 2025-11-25
WARNING

Almost three weeks after the disclosure of CVE-2025-34299, a critical remote code execution vulnerability in Monsta FTP, hundreds of publicly accessible servers remain unpatched. The Shadowserver Foundation reports that as of late November 2025, around 800 systems online today are still vulnerable, while watchTowr notes that over 5,000 Monsta FTP installations can typically be found exposed on the internet at any given time. This is despite a patch being available since 26 August 2025, included quietly in version 2.11.3 with no explicit security notes.

The vulnerability carries a CVSS score of 9.3 (Critical) and allows unauthenticated arbitrary file uploads that can lead directly to remote code execution. Administrators who run Monsta FTP as a web-based file manager may unknowingly be exposing their entire server to compromise.

Readers can consult the full BaseFortify CVE report, including CVSS breakdown, CWE/ATT&CK mapping, Q&A, and AI Assistant:
https://basefortify.eu/cve_reports/2025/11/cve-2025-34299.html

 

How the Vulnerability Works

The flaw falls under CWE-434 (Unrestricted Upload of File With Dangerous Type). Monsta FTP exposes an API mechanism for fetching files from remote FTP/SFTP servers. Vulnerable versions fail to validate remote sources, destination paths, or file types.

A typical vulnerable code path can be conceptualised as:

$remote = $_POST['remote_path'];
$local  = $_POST['local_path'];

$data = ftp_get_contents($ftp, $remote);
file_put_contents($local, $data);

Because the application does not restrict $local, an attacker can cause Monsta FTP to write a file such as:

/var/www/html/shell.php

The attacker then executes it directly in the browser (for example https://your-domain.com/shell.php), resulting in full remote code execution on the hosting server.

 

How to Check if You Are Vulnerable

 

1. Determine your installed version

You are vulnerable if running version 2.11 or earlier. To locate Monsta FTP on a typical Linux web server:

grep -r "Monsta" -n /var/www/
grep -r "MFTP" -n /var/www/

Then inspect the application folder for a version indicator such as version.json, config.php, or check the footer in the web interface.

 

2. Test whether Monsta FTP is publicly exposed

From an external system, check if the Monsta FTP interface is reachable:

curl -I https://your-domain.com/mftp/
curl -I https://your-domain.com/monsta/

A 200 OK response indicates that the interface is accessible from the internet, significantly increasing risk.

 

3. Check for suspicious uploaded files

Search for recently created or modified PHP files in your webroot:

find /var/www -name "*.php" -mtime -7
find /var/www -name "*.php" -mmin -1440

Investigate any unexpected filenames such as shell.php, backdoor.php, or cmd.php.

 

4. Review web server access logs

Look for unusual access patterns to Monsta FTP or suspicious scripts:

grep "mftp" /var/log/nginx/access.log
grep "shell.php" /var/log/nginx/access.log

Unknown POST requests to Monsta FTP endpoints or direct access to newly created PHP files should be treated as potential compromise.

 

What Administrators Should Do

  1. Update immediately to Monsta FTP 2.11.3 or later.
  2. Restrict network access so Monsta FTP is only reachable from internal or trusted networks.
  3. Audit the server for unexpected PHP files, configuration changes, or persistence mechanisms.
  4. Rotate credentials used by Monsta FTP and associated FTP/SFTP accounts.
  5. Assume potential compromise if the service was publicly exposed while running a vulnerable version, and perform a full incident response review.

 

How BaseFortify Helps

BaseFortify assists organisations by automatically identifying vulnerable components, mapping CVEs to installed software, and presenting clear impact and mitigation guidance.

Our CVE report for CVE-2025-34299 includes an interactive Q&A section and an AI Assistant that can explain the vulnerability, assess risks for your environment, and provide concrete remediation steps. Administrators using My Nodes and My Components will be alerted if Monsta FTP or related components are detected in their environment, ensuring that high-risk issues like CVE-2025-34299 are prioritised and addressed.

Interested in monitoring vulnerabilities like this automatically and receiving tailored guidance for your own environment? You can register for free at:
https://basefortify.eu/register

 

Resources