Exploit Released for Critical Monsta FTP RCE Vulnerability (CVE-2025-34299)

Monsta FTP CVE-2025-34299 Exploit

Python exploit for the RCE vulnerability in Monsta FTP (CVE-2025-34299).

This vulnerability allows arbitrary PHP code execution on the Monsta FTP server by exploiting the downloadFile functionality which allows downloading files from a malicious FTP or SFTP server. The exploit establishes a reverse shell connection using pwntools.

Note: While the watchTowr Labs research demonstrates the vulnerability using SFTP, this exploit uses FTP which also works perfectly fine.

Technical Details

Why FTP Works Too

While the watchTowr Labs research demonstrates the vulnerability using SFTP, FTP works identically because both connection types use the same vulnerable pattern:

SFTP Implementation (SFTPConnection.php):

[pastacode lang=”php” manual=”protected%20function%20handleDownloadFile(%24transferOperation)%20%7B%0A%20%20%20%20%24remoteURL%20%3D%20%24this-%3EgetRemoteFileURL(%24transferOperation-%3EgetRemotePath())%3B%0A%20%20%20%20if(%40copy(%24remoteURL%2C%20%24transferOperation-%3EgetLocalPath()))%0A%20%20%20%20%20%20%20%20return%20true%3B%0A%20%20%20%20%2F%2F%20…%0A%7D” message=”” highlight=”” provider=”manual”/]

FTP Implementation (FTPConnection.php):

[pastacode lang=”php” manual=”protected%20function%20handleDownloadFile(%24transferOperation)%20%7B%0A%20%20%20%20return%20%40ftp_get(%24this-%3Econnection%2C%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24transferOperation-%3EgetLocalPath()%2C%20%20%2F%2F%20%3C–%20User-controlled%20destination%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24transferOperation-%3EgetRemotePath()%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24transferOperation-%3EgetTransferMode())%3B%0A%7D” message=”” highlight=”” provider=”manual”/]

In both cases, getLocalPath() returns the user-controlled localPath parameter from the request context, allowing arbitrary file write to any location on the server’s filesystem. The only difference is the PHP function used (copy() for SFTP vs ftp_get() for FTP), but both accept user-controlled destination paths without proper validation.

How it works:

  1. Starts a malicious FTP server with a reverse shell payload
  2. Uploads the payload to Monsta FTP via the vulnerable downloadFile endpoint
  3. Triggers the payload execution
  4. Establishes an interactive reverse shell using pwntools

The payload automatically deletes itself after execution.

Download

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce