Security researchers have uncovered a critical remote code execution (RCE) flaw in Monsta FTP, a popular web-based file transfer client, now actively exploited in the wild.
Tracked as CVE-2025-34299, this unauthenticated vulnerability allows attackers to upload malicious files and execute arbitrary code on affected servers, potentially leading to full system compromise.
Monsta FTP enables users to manage files on remote servers directly through a browser, supporting FTP and SFTP protocols with features like uploading, downloading, and editing.
With thousands of exposed instances online many hidden behind the default /mftp/ path it’s a prime target for threat actors, especially given its PHP foundation.
Enterprises and financial institutions rely on it for seamless file operations, but outdated deployments amplify risks.
The issue surfaced during watchTowr Labs’ investigation into an N-day vulnerability in version 2.10.4, only to reveal unpatched flaws from 2.10.3 persisting into 2.11.2.
Earlier CVEs, including CVE-2022-27468 (arbitrary file upload) and CVE-2022-31827 (SSRF), weren’t properly fixed despite code tweaks.
Developers added input validation in inputValidator.php for path traversal and sanitization, but these measures bypassed the core RCE path.
How The Vulnerability Works
Attackers exploit the “downloadFile” action in the API endpoint /application/api/api.php. By crafting a POST request with SFTP connection details, a malicious remotePath points to a controlled SFTP server hosting a webshell (e.g., shell.php).
Once connected, Monsta FTP’s SFTPConnection.php uses PHP’s copy() function to fetch and write the file without adequate checks.
This pre-auth RCE chain succeeds, as demonstrated in proofs-of-concept where attackers gain www-data shell access. Exploitation requires no credentials, making it straightforward for automated attacks.
The flaw evaded partial patches until version 2.11.3, released August 26, 2025, which enforces proper validation. CVE assignment followed on November 4, 2025.
Disclosure Timeline
- August 13, 2025: watchTowr discloses to Monsta FTP team.
- August 14, 2025: Acknowledgment received.
- August 15, 2025: Attack surface scan across clients.
- August 26, 2025: Patch in 2.11.3.
- November 4, 2025: CVE-2025-34299 assigned.
- November 6, 2025: Public disclosure.
Mitigation And Impact
Organizations should upgrade to 2.11.3+ immediately, disable exposed instances, and monitor logs for suspicious uploads.
Active exploitation underscores the need for rapid patching, as attackers target unupdated PHP apps. Tools like watchTowr Platform aid in proactive threat hunting.
This saga highlights patching pitfalls: superficial fixes fail against persistent flaws. Stay vigilant—file transfer tools often lurk in attack surfaces.
 flaw in Monsta FTP, a popular web-based file transfer client){kind=link}