Critical remote code execution flaw in Monsta FTP web client actively exploited
Take action: If you're using Monsta FTP web-based file transfer tool, immediately upgrade to version 2.11.3 or later. The application is actively exploited so your instance will be hacked. If you can't upgrade right away, restrict access to the Monsta FTP web interface so it's only available to your internal network or via VPN.
Learn More
WatchTowr Labs are reporting active exploitation of a flaw in Monsta FTP, a web-based file transfer client,
The vulnerability is tracked as CVE-2025-34299 (CVSS score 9.3) a pre-authentication remote code execution vulnerability. The vulnerability exploits the fact that both the remote file path and the local destination path are user-controlled parameters without adequate validation, allowing the attacker to write malicious PHP code to web-accessible directories and subsequently execute it to gain complete control over the vulnerable system.
The attack mechanism exploits Monsta FTP's downloadFile function, which is designed to retrieve files from external SFTP servers. Attackers can manipulate this functionality through a carefully crafted HTTP POST request to the /mftp/application/api/api.php endpoint. First, the attacker tricks Monsta FTP into connecting to their own malicious SFTP server; Monsta FTP downloads a payload file controlled by the attacker; The malicious file is written to an arbitrary path on the target Monsta server.
All versions of Monsta FTP from 2.10.3 through 2.11.2 are vulnerable
Patched version is Monsta FTP version 2.11.3 and later versions released after August 26, 2025.
Organizations running Monsta FTP should immediately upgrade to version 2.11.3 or later. As a temporary mitigating measure for organizations that cannot immediately upgrade, administrators should use an allowlist to restrict access to the web interface so it is not visible from the entire internet.
