WatchTowr researchers found a remote code execution (RCE) vulnerability in Monsta FTP, a popular web-based file transfer client, that is being exploited in the wild.
The flaw (CVE-2025-34299) stems from unsafe handling of user input during file downloads, enabling attackers to execute arbitrary code on targeted systems without authentication.
Turning Monsta FTP Against Itself
Monsta FTP was discovered to contain an exploitable flaw in its API endpoint /mftp/application/api/api.php.
Specifically, the application accepts user-supplied file paths through the localPath parameter without adequate validation.
By manipulating this input, attackers can trick Monsta FTP into writing files to arbitrary locations on the web server.
An attacker first coerces the Monsta FTP instance into connecting to a malicious SFTP server, then instructs it to download a crafted payload and store it in a web-accessible directory such as /var/www/html/mftp/.
The uploaded file executes with web server privileges, granting the attacker complete control over the server.
Researchers first identified the issue in August 2025 and responsibly disclosed it to Monsta FTP developers. A patch was released, but thousands of devices are still potentially vulnerable to the exploit.
Tracing the Root of the Monsta FTP Flaw
WatchTowr’s investigation traced the flaw back to inadequate validation mechanisms.
Earlier versions — such as 2.10.3 and 2.10.4 — had vulnerabilities like CVE-2022-27468 and CVE-2022-31827 (server-side request forgery vulnerability).
Examination of subsequent versions by the researchers revealed that only superficial changes had been made, leaving the core vulnerabilities intact.
There was an attempt at remediation in version 2.11 by introducing an inputValidator.php module containing new path-sanitization and directory traversal detection functions.
However, these measures failed to address the actual code path responsible for insecure file writes.
When researchers replayed previously known exploit proof-of-concepts, they found the vulnerability persisted even in the updated version.
A fix was released in version 2.11.3. This update properly validates file paths and restricts write operations to designated directories.
Exploitation Without Credentials
The danger of CVE-2025-34299 lies in its unauthenticated exploitation path.
Attackers do not require valid credentials or prior access to the system.
Exploitation grants them server-level code execution, which can be used to install backdoors, exfiltrate data, or pivot deeper into the network.
Given Monsta FTP’s wide adoption among financial institutions, enterprises, and individual users, exploitation attempts have rapidly surfaced.
The default installation path (/mftp/) often hides these instances from routine Internet scans, making detection and remediation more challenging for administrators.
Defending Against CVE-2025-34299
To defend against exploitation of CVE-2025-34299 and similar vulnerabilities, organizations should take a layered, proactive approach to mitigation.
Beyond just applying the latest patch, teams should focus on limiting exposure, tightening network boundaries, and monitoring for abnormal activity.
- Update to version 2.11.3 or later: The latest release contains a complete fix for CVE-2025-34299 and closes associated attack vectors.
- Restrict API access: Configure firewalls to limit access to /mftp/application/api/api.php only from trusted IP addresses or internal networks.
- Implement network segmentation: Isolate web-facing services from critical internal infrastructure to limit the blast radius of potential compromise.
- Monitor for abnormal outbound connections: Since exploitation involves communication with attacker-controlled SFTP servers, unusual outbound SFTP or SSH traffic should trigger alerts.
- Use Web application firewalls (WAFs): Deploying a WAF with input validation and path-traversal detection rules can help mitigate future zero-day exploits.
- Harden server configurations: Disable unnecessary write permissions and ensure that the web server process runs with the least privileges necessary.
- Conduct regular vulnerability assessments: Automated scanning and patch management can help prevent exploitation of unpatched or legacy instances.
By applying these mitigations, organizations strengthen their cyber resilience.
The Monsta FTP RCE vulnerability highlights the persistent risk of inadequate input validation and delayed patching in widely used web applications.
CVE-2025-34299 serves as a reminder that security is a continuous process, not a one-time implementation.
This ongoing need for continuous protection underscores why adopting zero-trust — which enforces verification at every access point — is important for modern security.





