CVE-2025-34299

CRITICAL EXPLOITED NUCLEI

Monstaftp Monsta FTP < 2.11 - Unrestricted File Upload

Title source: rule

Description

Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.

Exploits (5)

nomisec WORKING POC 4 stars
by Chocapikk · remote
https://github.com/Chocapikk/CVE-2025-34299
nomisec WRITEUP
by KrE80r · remote
https://github.com/KrE80r/CVE-2025-34299-lab
nomisec SCANNER
by rxerium · poc
https://github.com/rxerium/CVE-2025-34299
metasploit WORKING POC EXCELLENT
by watchTowr Labs · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/monsta_ftp_downloadfile_rce.rb

Nuclei Templates (1)

Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution
CRITICALVERIFIEDby KrE80r
Shodan: http.title:"Monsta FTP"
FOFA: title="Monsta FTP"

References (3)

Scores

CVSS v3 9.8
EPSS 0.6869
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-11-26
CWE
CWE-434
Status published
Products (1)
monstaftp/monsta_ftp < 2.11
Published Nov 07, 2025
Tracked Since Feb 18, 2026