CVE-2025-34299

Monsta FTP <= 2.11 Unauthenticated Arbitrary File Upload

CVSS 9.3 CRITICALEPSS 72.0%CWE-434

Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Monsta Limited of New Zealand · Monsta FTP

public PoCs found — 4

githubgithub.com/Chocapikk/CVE-2025-34299★ 4 githubgithub.com/rxerium/CVE-2025-34299★ 0 githubgithub.com/KrE80r/CVE-2025-34299-lab★ 0 cve_referencelabs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/https://www.monstaftp.com/notes/https://www.vulncheck.com/advisories/monsta-ftp-unauthenticated-arbitrary-file-upload