Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-34299 PoC — Monsta FTP <= 2.11 Unauthenticated Arbitrary File Upload

Source
https://github.com/B1ack4sh/Blackash-CVE-2025-34299
Associated Vulnerability
Title:Monsta FTP <= 2.11 Unauthenticated Arbitrary File Upload (CVE-2025-34299)
Description:Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.
Description
CVE-2025-34299
Readme
# **CVE-2025-34299**🚨: Monsta FTP Remote Code Execution Vulnerability💥  

![G5hmSRibcAMiu9N](https://github.com/user-attachments/assets/d8103537-17fc-499c-a378-0dfd9e9bacf6)

---

### **Executive Summary** ✨  

🔓 **CVE-2025-34299** is a **critical**, **unauthenticated** RCE flaw in **Monsta FTP** — a popular web-based file transfer tool.  
🌍 Discovered in **August 2025**, disclosed **November 7, 2025**.  
⚔️ Allows attackers to **upload web shells** via a **malicious (S)FTP server** → **full server takeover**!  
📊 **>5,000 exposed instances** online — **actively exploited** in the wild!  
🔧 **Patch NOW** to **v2.11.3** (released **Aug 26, 2025**)  

---

### **Vulnerability Details** 🔍  

| **Field**               | **Details** |
|-------------------------|-----------|
| **CVE ID**              | `CVE-2025-34299` |
| **Published**           | 📅 Nov 7, 2025 |
| **CNA**                 | VulnCheck |
| **Weakness**            | CWE-434 (Dangerous File Upload) |
| **Root Cause**          | 🕳️ Unsafe file download in `/mftp/application/api/api.php` |
| **Attack Vector**       | 🌐 **Network (Remote, Unauthenticated)** |
| **Complexity**          | 🟢 **Low** |
| **Prerequisites**       | ❌ **None** |

**Exploitation Flow** (Simplified):  

1️⃣ Attacker sends crafted **POST** to API  
2️⃣ Monsta connects to **attacker’s (S)FTP**  
3️⃣ Malicious **PHP shell** downloaded & written  
4️⃣ 💣 **RCE achieved** via `?cmd=whoami`  

**PoC Available** ✅ (watchTowr Labs)

---

### **Severity & Scoring** 📈

| **Metric**       | **Score** | **Emoji** |
|------------------|-----------|----------|
| **CVSS v4.0**    | **9.3** (Critical) | 🔥🔥🔥 |
| **CVSS v3.1**    | (Pending) | ⏳ |
| **EPSS**         | **~0.85** (80th %) | ⚡ |
| **In the Wild?** | **YES** | 🏴‍☠️ |

---

### **Affected Systems** 🖥️  

- **Product**: Monsta FTP  
- **Vulnerable**: ≤ **2.11.2**  
- **Fixed In**: **2.11.3+** ✅  
- **Platforms**: Linux, Windows, PHP-based web servers  
- **Exposed**: **5,000+** instances (ZoomEye, Shodan) 🌐  

---

### **Timeline** ⏰

| **Date**            | **Event** |
|---------------------|---------|
| Jul 2025            | v2.11 released (vulnerable) |
| Aug 2025            | watchTowr discovers flaw |
| **Aug 26, 2025**    | **Patch: v2.11.3** 🛡️ |
| Nov 4, 2025         | CVE assigned |
| **Nov 7, 2025**     | **Public Disclosure** 📢 |
| **Nov 10–13, 2025** | **Active Exploitation** 🔥 |

---

### **Exploitation in the Wild** 🏴‍☠️

- ✅ **Confirmed attacks** since August  
- 🔍 Scanners using **ZoomEye**, **Shodan**, **Nuclei**  
- 🎯 Targets: Finance, hosting, enterprises  
- 🛡️ **IoCs**:  
  - POST to `/mftp/application/api/api.php`  
  - Outbound (S)FTP to unknown IPs  
  - New `.php` files with `system()`, `eval()`  

---

### **Impact** 💣

| **Risk**         | **Level** | **Details** |
|------------------|-----------|-----------|
| **Server Takeover** | 🌋 **High** | Full root/admin access |
| **Data Breach**     | 🔒 **High** | Exfiltrate files |
| **Ransomware**      | 💰 **High** | Deploy payloads |
| **Lateral Move**    | 🌐 **Medium** | Pivot in network |

---

### **Mitigation & Remediation** 🛡️

| **Action**                  | **How** |
|-----------------------------|-------|
| **🔧 Patch**                | Upgrade to **v2.11.3+** → [monstaftp.com/download](https://monstaftp.com/download) |
| **🚫 No Workaround**        | Disable if unpatched |
| **🌐 Network Controls**     | Block outbound (S)FTP; allow only trusted IPs |
| **🛡️ WAF Rules**            | Block suspicious POSTs to `/api.php` |
| **🔍 Scan**                 | Use: `app="Monsta FTP"` on Shodan/ZoomEye |
| **🛑 Incident Response**    | Isolate → Scan for webshells → Reimage |

**Detection Query (ZoomEye)**:

```bash
app="Monsta FTP" vul.cve="CVE-2025-34299"
```

---

### **References & Sources** 📚 

- **NVD**: [nvd.nist.gov/vuln/detail/CVE-2025-34299](https://nvd.nist.gov/vuln/detail/CVE-2025-34299)  
- **watchTowr Labs**: [labs.watchtowr.com/...](https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/)  
- **VulnCheck**: [vulncheck.com/advisories/...](https://www.vulncheck.com/advisories/monsta-ftp-unauthenticated-arbitrary-file-upload)  
- **Media**: eSecurity Planet, HackRead, GBHackers  
- **X (Twitter)**: @watchtowr, @zoomeye_team, @ransomnews  

---

**Bottom Line**:  
> **Patch. Scan. Monitor. Act Fast.**  
> This is **not a drill** — **CVE-2025-34299** is a **server-ending vulnerability** in the wild.  

**Stay safe out there!** 🛡️✨
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →