CVE-2025-34299

Published: Nov 7, 2025

Modified: May 14, 2026

PUBLISHED

Description

Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.

Vendor	Product	Versions
Monsta Limited of New Zealand	Monsta FTP	affected `0 - <= 2.11`

Weaknesses (CWE)

CWE-434

References

https://www.monstaftp.com/notes/

release-notes

patch

https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/

technical-description

exploit

https://www.vulncheck.com/advisories/monsta-ftp-unauthenticated-arbitrary-file-upload

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-34299

Description

Affected Products

Weaknesses (CWE)

References