In the web-based data transfer software Monsta FTP, a security vulnerability has been discovered. Attackers can use this to inject and execute malicious code. An update is available.

The vulnerability description states: “Monsta FTP 2.11 and earlier versions contain a vulnerability that allows unauthenticated users to upload arbitrary files. The flaw enables attackers to execute code by uploading specially crafted files from a malicious (S)FTP server” (CVE-2025-34299, CVSS4 9.3, risk “critical”).

Vulnerability Analysis Leads to Frowns

IT researchers from watchtowr have discovered the gap and published an analysis with much tongue-in-cheek. At least 5000 instances of Monsta FTP are accessible from the internet. This allows access to the contents of an external (S)FTP server – reading, writing, and modifying files, with a user-friendly interface. The user base includes financial institutions, companies, and overly ambitious individual users. The software is also interesting for attackers because it is programmed in PHP, watchtowr jokes.

Interested parties can follow an investigation chain there, starting from the not-quite-up-to-date version 2.10.4 of Monsta FTP – the 2.11 development branch is current – because a large part of the internet does not use the current version. Three security vulnerabilities, already known for version 2.10.3, were found there. Therefore, the IT security researchers examined the current 2.11 branch to see if the vulnerabilities were patched.

The analysts found new functions in the program code, such as path filtering. However, proof-of-concept code for exploiting the SSRF vulnerability CVE-2022-31827 – in Monsta FTP 2.10.3 – still worked. The analysis of the vulnerability then led to the discovery of the new security vulnerability that allows the execution of malicious code – specifically, “Pre-Authentication Remote Code Execution,” meaning execution of malicious code from the network without prior authentication.

Monsta FTP 2.11.3 from August 26, 2025, is said to correctly patch this security vulnerability, watchtowr explains. The Changelog of Monsta FTP only states in the release “Resolved PHP 7.x compatibility issue”; the developers do not mention patched security leaks.

Data Transfer Software with Vulnerabilities: A Favorite of Cyber Gangs

Data transfer solutions like Monsta FTP are used, for example, for managing websites, or for general data exchange. Cyber gangs like cl0p exploit such security vulnerabilities to copy data on a large scale and extort the affected companies. In mid-2023, the criminal organization compromised data at many well-known companies and corporations in MOVEit Transfer through a security vulnerability.

On the darknet leak site of the cyber gang cl0p, well-known companies have once again appeared as victims.

(Image: heise medien)

Just a few days ago, the Washington Post appeared as a victim of data exfiltration on the darknet leak site of the cl0p gang. The Washington Post did not respond to our inquiries; the perpetrators also do not disclose the scope and nature of the allegedly copied data. Even more recent is the entry for keyboard and mouse manufacturer Logitech. Here too, there is a lack of information about the nature and scope of the data theft or even confirmation from Logitech. Whether cl0p actually exfiltrated data from the two well-known organizations and through which security vulnerability in which software is currently completely unclear.

Cybercrime and ransomware are not natural disasters that one faces powerlessly. Those who understand how attackers tick, what methods they use, and how existing protective measures work can secure their IT in such a way that their protective measures do not collapse at the first wrong click.

(dmk)

Don’t miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.