CVE-2025-34299: 
Monsta FTP vulnerability analysis and mitigation

Monsta FTP versions 2.11 and earlier contain a critical vulnerability that allows unauthenticated arbitrary file uploads, identified as CVE-2025-34299. The vulnerability was discovered in November 2025 and enables attackers to execute arbitrary code by uploading specially crafted files from a malicious (S)FTP server. This vulnerability affects the web-based FTP client that allows users to manage and transfer files directly through a browser on remote servers, with at least 5,000 instances exposed on the Internet (WatchTowr Blog).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v4.0 score of 9.3 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The issue affects the file upload functionality in Monsta FTP, allowing attackers to bypass authentication and upload malicious files through a specially configured (S)FTP server connection (VulnCheck Advisory).

The vulnerability has significant impact potential due to its pre-authentication nature and the ability to execute arbitrary code on affected systems. The affected software has a broad user base including financial institutions, enterprises, and individual users, making it an attractive target for threat actors (WatchTowr Blog).

The vulnerability has been patched in version 2.11.3, released on August 26, 2025. Organizations using affected versions should immediately upgrade to version 2.11.3 or later to mitigate this vulnerability (Monsta Notes).