What is CVE-2025-34299?

CVE-2025-34299 is a vulnerability in Monsta Limited Of New Zealand Ftp, classified under Unrestricted Upload of File with Dangerous Type. Published 2025-11-07.

Is CVE-2025-34299 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Arbitrary file upload in Monsta Limited Of New Zealand Ftp

CVE-2025-34299

Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.

Vulnerability class: Unrestricted File Upload

EPSS: 0.741 (98.9th percentile) — read the EPSS interpretation.

Affected products

Monsta Limited Of New Zealand Ftp — versions 0

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

Public proof-of-concept exploits

References

www.monstaftp.com/notes/ (release-notes, patch)
labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execu… (technical-description, exploit)
www.vulncheck.com/advisories/monsta-ftp-unauthenticated-arbitrary-file-upload (third-party-advisory)

Frequently asked questions

What is CVE-2025-34299?: CVE-2025-34299 is a vulnerability in Monsta Limited Of New Zealand Ftp, classified under Unrestricted Upload of File with Dangerous Type. Published 2025-11-07.
Is CVE-2025-34299 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.