Share
## https://sploitus.com/exploit?id=6910EF1A-E4A1-5872-BF10-CBB042EC7845
# CVE-2025-34299 Test Environment

Docker test environment for CVE-2025-34299 - Monsta FTP Pre-Authentication Remote Code Execution vulnerability.

## Vulnerability Details

| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2025-34299 |
| **Severity** | Critical (CVSS 9.8) |
| **CWE** | CWE-434 (Unrestricted Upload of File with Dangerous Type) |
| **Affected Versions** | <= 2.11.2 |
| **Patched Version** | 2.11.3 |
| **KEV** | Yes |

## Description

Monsta FTP versions <= 2.11.2 contain a pre-authenticated remote code execution vulnerability via unrestricted arbitrary file upload. The `downloadFile` API endpoint (`/mftp/application/api/api.php`) accepts user-controlled file paths without proper sanitization, allowing attackers to:

1. Send a POST request with `actionName: downloadFile`
2. Specify a malicious FTP server under their control
3. Instruct Monsta FTP to download arbitrary files (including PHP webshells) to arbitrary server locations
4. Achieve RCE with web server privileges

## Quick Start

```bash
# Clone this repository
git clone https://github.com/KrE80r/CVE-2025-34299-lab.git
cd CVE-2025-34299-lab

# Start the vulnerable environment
docker-compose up -d

# Verify it's running
curl -s http://localhost:8080/mftp/ | grep -o "MonstaFTP"
```

## Testing with Nuclei

```bash
# Test with nuclei template
nuclei -t CVE-2025-34299.yaml -u http://localhost:8080

# Expected output:
# [CVE-2025-34299] [http] [critical] http://localhost:8080/mftp/application/api/api.php ["2.10.4"]
```

## Manual Verification

```bash
# Check if the vulnerable API endpoint is accessible
curl -X POST http://localhost:8080/mftp/application/api/api.php \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d 'request={"connectionType":"ftp","configuration":{"host":"127.0.0.1","username":"test","initialDirectory":"/","password":"test","port":21},"actionName":"downloadFile","context":{"remotePath":"/test.txt","localPath":"/tmp/test.txt"}}'

# Expected response contains "CONNECTION_FAILURE_ERROR" proving the vulnerable code path is reached
```

## Environment Details

- **Base Image**: php:7.4-apache
- **Monsta FTP Version**: 2.10.4 (vulnerable)
- **Default Port**: 8080
- **Web Path**: /mftp/

## Cleanup

```bash
# Stop and remove the container
docker-compose down

# Remove the image
docker rmi cve-2025-34299-lab-monsta-ftp-vulnerable
```

## References

- [NVD - CVE-2025-34299](https://nvd.nist.gov/vuln/detail/CVE-2025-34299)
- [WatchTowr Labs Advisory](https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/)
- [GitHub Advisory - GHSA-42m5-3r2p-wr92](https://github.com/advisories/GHSA-42m5-3r2p-wr92)

## Disclaimer

This environment is provided for **security research and testing purposes only**. Do not use against systems you do not own or have explicit permission to test.

## License

MIT License