457/68 Tuesday, November 11, 2025
Cybersecurity firm watchTowr has disclosed a critical vulnerability in Monsta FTP, a widely used web-based file management application commonly deployed by organizations and web administrators. The vulnerability, tracked as CVE-2025-34299, is rated Critical and allows attackers to gain access to the system without authentication (pre-auth) and perform remote code execution (RCE), enabling full takeover of the server.
The flaw exists because Monsta FTP does not properly validate permissions before allowing access to the file download process. This allows an attacker to trick the system into downloading a malicious payload from an external source and save it to any location on the server. From there, attackers may upload a web shell to gain full server control. watchTowr tested and confirmed exploitation and found more than 5,000 exposed Monsta FTP instances accessible from the internet – putting hosting providers and organizations at significant risk.
watchTowr reported the vulnerability to the Monsta FTP development team on August 13, 2025, and a patch was released in Monsta FTP version 2.11.3 on August 26, 2025. Users are strongly advised to update to version 2.11.3 or later immediately, as the flaw allows complete system compromise without requiring a username or password.
Source https://hackread.com/monsta-ftp-flaw-web-servers-open-server-takeover/
