Security researchers at watchTowr Labs reported an unrestricted file upload vulnerability in certain versions of Monsta FTP. This flaw allows dangerous file types to be automatically processed within the application’s environment, resulting in remote code execution (RCE). Successful exploitation allows a remote, unauthenticated adversary to upload a specially crafted file from a malicious SFTP or FTP server and subsequently execute arbitrary code on the server. This vulnerability has been designated CVE-2025-34299 and has been rated critical with a CVSS score of 9.3.

The following versions are affected

• Monsta FTP versions prior to 2.11.3

What is Monsta FTP? #

Monsta FTP is a web-based File Transfer Protocol (FTP) client, written in PHP and JavaScript, that is installed on a web server to manage the site’s files directly through a web browser instead of using a traditional desktop client application.

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Monsta FTP upgrade to version 2.11.3 or later

How to find potentially vulnerable systems with runZero #

From the Service inventory, use the following query to locate potentially vulnerable assets:

_asset.protocol:http AND protocol:http AND favicon.ico.image.mmh3:="1535999103"