A web-based file management application, Monsta FTP, was recently found to have a serious security problem that could allow hackers to completely take over a web server.
Cybersecurity firm watchTowr discovered and reported this issue in a technical blog post, shared with Hackread.com. For your information, Monsta FTP is a handy tool that lets users move and manage website files, performing uploading, downloading, and modifying directly through a web browser. This makes it a popular choice among users, from major financial institutions to individual website owners, as an alternative to installing separate computer software.
How did it all start?
The research that led to this discovery began when watchTowr was investigating older, known vulnerabilities in Monsta FTP, specifically looking at versions like 2.10.4. The team suspected that flaws reported in an even older version (2.10.3), which included Server-Side Request Forgery (SSRF) and arbitrary file upload issues (CVE-2022-31827, CVE-2022-27469, and CVE-2022-27468), might still exist.
Further probing revealed that the older versions shared the same lack of protection. This led the team to investigate the current version, where they ultimately found the new, major security gap.
Critical Flaw: Unauthenticated Access
The problem, now officially tracked as CVE-2025-34299, was a serious pre-authentication flaw. This means that attackers could use it before they even had to log in, without needing a username or password, leading to Remote Code Execution (RCE).
RCE is the worst kind of vulnerability because it allows a remote hacker to run their own code on the target server. In this case, CVE-2025-34299 allowed the hacker to trick the Monsta FTP system into downloading a file they controlled (which held the malicious code) and saving it anywhere they wanted on the victim’s server.
In its report, WatchTowr confirmed this method worked, noting, “It connected, pulled our payload, and wrote it to the specified path.” This ability to drop a malicious file, sometimes called a ‘web shell,’ means the attacker could grab full control of the entire server or hosting environment. According to their analysis, a minimum of 5,000 Monsta FTP instances were available on the internet, which means a large number of web servers were at risk.
The Fix
WatchTowr alerted the Monsta FTP development team about this critical security flaw on August 13, 2025. Developers quickly responded, and a patched version, Monsta FTP 2.11.3, was released on August 26, 2025. If you or your organisation uses Monsta FTP, you must update to version 2.11.3 or later immediately to keep your web server safe.