Monsta FTP - RCE (CVE-2025-34299)

CVE-2025-34299 is a critical vulnerability in Monsta FTP versions 2.11 and earlier that allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. Exploiting this flaw, threat actors can compromise the server by uploading malicious files from a rogue (S)FTP server, making it a significant risk for web-based file management environments.

CrowdSec has been tracking this vulnerability and its exploits since 12th of November 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-34299 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-34299 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-34299 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit Monsta FTP by sending crafted POST requests to /mftp/application/api/api.php with malicious SFTP connection parameters, enabling remote file writes and potential code execution on the server.