CVE-2025-34299

CRITICAL EXPLOITED NUCLEI

Monsta FTP < 2.11 - Unauthenticated Arbitrary File Upload

Title source: llm

Exploitation Summary

CVE-2025-34299 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Chocapikk, KrE80r, rxerium, including a Metasploit module exploits/multi/http/monsta_ftp_downloadfile_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional exploit for CVE-2025-34299, targeting Monsta FTP 2.10.4 via arbitrary file write in the `downloadFile` functionality. It establishes a reverse shell by hosting a malicious FTP server and triggering payload execution.

Description

Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.

Exploits (4)

nomisec WORKING POC 4 stars

by Chocapikk · remote

https://github.com/Chocapikk/CVE-2025-34299

View Code ZIP pw:eip

This is a functional exploit for CVE-2025-34299, targeting Monsta FTP 2.10.4 via arbitrary file write in the `downloadFile` functionality. It establishes a reverse shell by hosting a malicious FTP server and triggering payload execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Monsta FTP 2.10.4

No auth needed

Prerequisites: Network access to target Monsta FTP instance · Python 3.x with dependencies (pwntools, pyftpdlib, requests)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by KrE80r · remote

https://github.com/KrE80r/CVE-2025-34299-lab

View Code ZIP pw:eip

This repository provides a Docker-based test environment for CVE-2025-34299, a pre-authentication RCE vulnerability in Monsta FTP <= 2.11.2 due to unrestricted file upload. It includes setup instructions, verification steps, and references but does not contain exploit code.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Monsta FTP <= 2.11.2

No auth needed

Prerequisites: Docker · access to vulnerable Monsta FTP instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by rxerium · poc

https://github.com/rxerium/CVE-2025-34299

View Code ZIP pw:eip

This repository provides a Nuclei template for detecting Monsta FTP versions vulnerable to CVE-2025-34299, an unauthenticated arbitrary file upload vulnerability. It checks for the presence of Monsta FTP and compares the version to identify vulnerable instances.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Monsta FTP versions 2.11 and earlier

No auth needed

Prerequisites: Nuclei installed · Target URL or list of URLs

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by watchTowr Labs · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/monsta_ftp_downloadfile_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a pre-auth RCE vulnerability in Monsta FTP < 2.11.3 via the downloadFile action, allowing arbitrary file uploads by tricking the server into connecting to a malicious FTP server. It supports multiple payload types (PHP, Unix/Linux, Windows) and includes a custom FTP server to deliver the payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Monsta FTP < 2.11.3

No auth needed

Prerequisites: Network access to the Monsta FTP server · Ability to host a malicious FTP server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution

CRITICALVERIFIEDby KrE80r

Shodan: http.title:"Monsta FTP"

FOFA: title="Monsta FTP"

References (3)

Core 3

Core References

Release Notes release-notes patch

https://www.monstaftp.com/notes/

Exploit, Third Party Advisory technical-description exploit

https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/monsta-ftp-unauthenticated-arbitrary-file-upload

Scores

CVSS v3 9.8

EPSS 0.7411

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-11-26

CWE

CWE-434

Status published

Products (2)

Monsta Limited of New Zealand/Monsta FTP < 2.11

monstaftp/monsta_ftp < 2.11

Published Nov 07, 2025

Tracked Since Feb 18, 2026