Unauthenticated File Upload Vulnerability in Monsta FTP by Monsta FTP
CVE-2025-34299

9.3CRITICAL

Key Information:

Vendor

Monsta Limited Of New Zealand

Status
Monsta Ftp
Vendor
CVE Published:
7 November 2025

Badges

📈 Score: 242👾 Exploit Exists🟡 Public PoC🟣 EPSS 60%📰 News Worthy

What is CVE-2025-34299?

CVE-2025-34299 is a serious vulnerability found in Monsta FTP, a file transfer application developed by Monsta Limited in New Zealand, designed to facilitate secure file uploads and downloads via FTP and SFTP protocols. The vulnerability specifically pertains to versions 2.11 and earlier of the Monsta FTP software. It allows attackers to upload arbitrary files without authentication, which could lead to the execution of malicious code on the server. This capability poses a significant risk for organizations using Monsta FTP, as it can result in unauthorized access, potential data breaches, and compromised server integrity.

Potential impact of CVE-2025-34299

  1. Unauthorized Code Execution: The vulnerability enables attackers to execute arbitrary code on the server by uploading specially crafted files. This could lead to complete server compromise and control over sensitive data.

  2. Data Breaches: Once attackers gain unauthorized access through this vulnerability, they can exploit it to exfiltrate sensitive information or alter existing data, resulting in extensive data breaches that can have legal and reputational repercussions for organizations.

  3. Increased Attack Surface for Ransomware: The ease with which this vulnerability can be exploited may attract cybercriminals, including ransomware groups, to leverage it as a foothold for delivering more malicious payloads, leading to potential ransomware attacks that can disrupt business operations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Monsta FTP 0 <= 2.11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34299 - Proof of Concept

CVE-2025-34299-lab
Created by KrE80r

CVE-2025-34299
Created by Chocapikk

News Articles

favicon imagewatchTowr Labs

What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299)

Happy Friday, friends and.. others. We’re glad/sorry to hear that your week has been good/bad, and it’s the weekend/but at least it’s almost the weekend! What’re We Doing Today, Mr Fox? Today, in a tale that seems all too familar at this point,

References

https://www.monstaftp.com/notes/
release-notespatch
https://labs.watchtowr.com/whats-that-coming-over-the-hil...
technical-descriptionexploit
https://www.vulncheck.com/advisories/monsta-ftp-unauthent...
third-party-advisory

EPSS Score

60% chance of being exploited in the next 30 days.

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by watchTowr Labs

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sonny of watchTowr
JSON
.