Security researchers have discovered an actively exploited remote code execution vulnerability in Monsta FTP, a web-based FTP client used by financial institutions, enterprises, and individual users worldwide.
The flaw, now tracked as CVE-2025-34299, affects versions up to 2.11.2 and allows attackers to execute arbitrary code on vulnerable servers without authentication.
| CVE ID | Vulnerability Type | Affected Version | Status | Exploitation |
|---|---|---|---|---|
| CVE-2025-34299 | Remote Code Execution (RCE) | Monsta FTP ≤ 2.11.2 | Patched in v2.11.3 (Aug 26, 2025) | Active exploitation in the wild |
Researchers at watchTowr Labs initially investigated an older vulnerability in Monsta FTP version 2.10.4 as part of their threat response process.
However, their analysis found that previously reported vulnerabilities in version 2.10.3 were never adequately fixed in subsequent releases, including the latest version at the time of discovery.
The investigation revealed that while developers added extensive input validation functions in version 2.11, these security measures failed to address the core vulnerability.
The new filtering mechanisms, contained in a file called inputValidator.php, provided security improvements but did not actually mitigate the remote code execution flaw.
How the Attack Works
The vulnerability exploits Monsta FTP’s downloadFile function, which allows the application to retrieve files from external SFTP servers.
Attackers can exploit this functionality via a carefully crafted HTTP request that instructs Monsta FTP to connect to a malicious SFTP server under the attacker’s control, download a payload, and write it to an arbitrary location on the target server.
The attack requires no authentication and can be executed by sending a single POST request to the vulnerable endpoint.
Once the malicious file is written to a web-accessible directory, attackers can execute arbitrary code on the server, potentially leading to a complete system compromise.
Monsta FTP developers released version 2.11.3 on August 26, 2025, which addresses the remote code execution vulnerability.
The flaw was officially assigned CVE-2025-34299 on November 4, 2025. Organizations running Monsta FTP should immediately upgrade to version 2.11.3 or later to protect against active exploitation attempts.
The discovery highlights ongoing concerns about incomplete vulnerability remediation in third-party software components, particularly those written in PHP and exposed to the internet.
Security experts recommend conducting thorough audits of web-based file management tools and implementing additional security controls such as network segmentation and access restrictions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.