CVE-2025-34299

🗓️ 07 Nov 2025 13:51:33Reported by VulnCheckType

cve🔗 web.nvd.nist.gov📰️ 5 Media mentions👁 24 Views🌐 WEB

Monsta FTP up to version 2.11 allows unauthenticated arbitrary file uploads enabling code execution.

Reporter	Title	Published	Views	Family All 18
GithubExploit	Exploit for CVE-2025-34299	19 Nov 202500:39	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Monstaftp Monsta_Ftp	11 Dec 202503:42	–	githubexploit
Circl	CVE-2025-34299	7 Nov 202510:26	–	circl
CNNVD	Monsta FTP 代码问题漏洞	7 Nov 202500:00	–	cnnvd
Cvelist	CVE-2025-34299 Monsta FTP <= 2.11 Unauthenticated Arbitrary File Upload	7 Nov 202513:51	–	cvelist
EUVD	EUVD-2025-38247	7 Nov 202513:51	–	euvd
HackRead	Monsta FTP Vulnerability Exposed Thousands of Servers to Full Takeover	10 Nov 202510:53	–	hackread
Metasploit	Monsta FTP downloadFile Remote Code Execution	27 Nov 202518:57	–	metasploit
Nuclei	Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution	3 Jun 202606:04	–	nuclei
NVD	CVE-2025-34299	7 Nov 202514:15	–	nvd

NVD

Vulners

CNA

Node

monstaftp monsta_ftpRange≤2.11

[
  {
    "defaultStatus": "unaffected",
    "product": "Monsta FTP",
    "vendor": "Monsta Limited of New Zealand",
    "versions": [
      {
        "lessThanOrEqual": "2.11",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
vulncheck	www.vulncheck.com/advisories/monsta-ftp-unauthenticated-arbitrary-file-upload
monstaftp	www.monstaftp.com/notes/
labs	www.labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/

Parameter	Position	Path	Description	CWE
request	request body	application/api/api.php	Monsta FTP API endpoint used to upload a crafted file via the vulnerable API.	CWE-434

14 May 2026 02:08Current

7.5High risk

Vulners AI Score7.5

CVSS 3.19.8

CVSS 49.3

EPSS0.7411

SSVC