Monsta Web FTP RCE Vulnerability Actively Exploited in the Wild

A critical remote code execution vulnerability has been discovered in Monsta FTP, a web-based file transfer client used by thousands of organizations worldwide.

The vulnerability allows unauthenticated attackers to execute arbitrary code on affected servers by leveraging a path traversal flaw during file downloads.

The Vulnerability

Monsta FTP, which powers over 5,000 Internet-facing instances, contains a dangerous combination of design flaws.

The application accepts user-controlled file paths through its API endpoint at /mftp/application/api/api.php without proper validation.

Attackers can manipulate the localPath parameter in download requests to write arbitrary files to any location on the web server.

The attack chain is straightforward: trick Monsta FTP into connecting to an attacker-controlled SFTP server, have it download a malicious payload, then write that file to a web-accessible directory such as /var/www/html/mftp/.

This results in immediate code execution with web server privileges.

Security researchers discovered this vulnerability in August 2025 and disclosed it responsibly to Monsta FTP developers. ]

The vulnerability remained unfixed across multiple versions, including 2.10.3, 2.10.4, and initially 2.11. Patches were released in version 2.11.3 on August 26, 2025, followed by CVE-2025-34299 assignment on November 4, 2025.

The vulnerability is particularly concerning because it requires no authentication and affects organizations across financial services, enterprises, and individual users who rely on Monsta FTP for remote file management.

Organizations running Monsta FTP should update to version 2.11.3 or later immediately. Additionally, implement network segmentation and restrict API endpoint access to trusted IP addresses.

Monitor web server logs for suspicious file write operations to /mftp/ directories.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today