Exploit Released for Critical Monsta FTP RCE Vulnerability (CVE-2025-34299)
Monsta FTP CVE-2025-34299 Exploit
Python exploit for the RCE vulnerability in Monsta FTP (CVE-2025-34299).
This vulnerability allows arbitrary PHP code execution on the Monsta FTP server by exploiting the downloadFile functionality which allows downloading files from a malicious FTP or SFTP server. The exploit establishes a reverse shell connection using pwntools.
Note: While the watchTowr Labs research demonstrates the vulnerability using SFTP, this exploit uses FTP which also works perfectly fine.
Technical Details
Why FTP Works Too
While the watchTowr Labs research demonstrates the vulnerability using SFTP, FTP works identically because both connection types use the same vulnerable pattern:
SFTP Implementation (SFTPConnection.php):
[pastacode lang=”php” manual=”protected%20function%20handleDownloadFile(%24transferOperation)%20%7B%0A%20%20%20%20%24remoteURL%20%3D%20%24this-%3EgetRemoteFileURL(%24transferOperation-%3EgetRemotePath())%3B%0A%20%20%20%20if(%40copy(%24remoteURL%2C%20%24transferOperation-%3EgetLocalPath()))%0A%20%20%20%20%20%20%20%20return%20true%3B%0A%20%20%20%20%2F%2F%20…%0A%7D” message=”” highlight=”” provider=”manual”/]
FTP Implementation (FTPConnection.php):
[pastacode lang=”php” manual=”protected%20function%20handleDownloadFile(%24transferOperation)%20%7B%0A%20%20%20%20return%20%40ftp_get(%24this-%3Econnection%2C%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24transferOperation-%3EgetLocalPath()%2C%20%20%2F%2F%20%3C–%20User-controlled%20destination%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24transferOperation-%3EgetRemotePath()%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24transferOperation-%3EgetTransferMode())%3B%0A%7D” message=”” highlight=”” provider=”manual”/]
In both cases, getLocalPath() returns the user-controlled localPath parameter from the request context, allowing arbitrary file write to any location on the server’s filesystem. The only difference is the PHP function used (copy() for SFTP vs ftp_get() for FTP), but both accept user-controlled destination paths without proper validation.
How it works:
- Starts a malicious FTP server with a reverse shell payload
- Uploads the payload to Monsta FTP via the vulnerable
downloadFileendpoint - Triggers the payload execution
- Establishes an interactive reverse shell using pwntools
The payload automatically deletes itself after execution.
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
