CVE-2025-34299

Monsta FTP versions 2.11 and earlier are affected by CVE-2025-34299, a vulnerability that enables unauthenticated arbitrary file uploads. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), allows attackers to upload specially crafted files from a malicious SFTP server, ultimately leading to arbitrary code execution on the target system. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, lack of prerequisites, and potential for complete system compromise.

Unauthenticated remote attackers can exploit this vulnerability by tricking Monsta FTP into connecting to a controlled malicious SFTP server and downloading a malicious file. Once uploaded, the file enables arbitrary code execution with the privileges of the Monsta FTP process, potentially granting attackers full control over the server, including data exfiltration, persistence, or lateral movement within the environment.

Advisories from WatchTowr Labs, VulnCheck, and the Monsta FTP vendor notes provide further details on exploitation and mitigation strategies, including recommendations to upgrade to a patched version where available and to restrict SFTP connections to trusted endpoints.