Skip to main content

Monsta FTP CVE-2026-60105

| EUVDEUVD-2026-42427 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-08 disclosure@vulncheck.com GHSA-hf3x-9vx4-94qv
7.7
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Unauthenticated low-complexity network SSRF (PR:N/AC:L) with a scope change (S:C) as it reads other internal systems; confidentiality impact only (C:H), no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 22:04 EUVD
Analysis Generated
Jul 08, 2026 - 21:48 vuln.today

DescriptionCVE.org

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.

AnalysisAI

Server-side request forgery in Monsta FTP before 2.14.5 lets an unauthenticated remote attacker coerce the server into making HTTP requests to internal-only services and exfiltrate the responses. The flaw lives in the fetchRemoteFile action, where the isBlockedIP() SSRF filter fails to recognize IPv4-mapped IPv6 addresses, so blocklisted internal ranges can be reached anyway; a CSRF token is trivially obtainable from the public getSystemVars endpoint. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Locate exposed Monsta FTP server
Delivery
Fetch CSRF token from getSystemVars
Exploit
Submit fetchRemoteFile with IPv4-mapped URL
Install
Bypass isBlockedIP() filter
C2
Server queries internal metadata service
Execute
Response written to attacker FTP
Impact
Steal cloud credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to run Monsta FTP before 2.14.5 with the network-reachable fetchRemoteFile action and the public getSystemVars endpoint available (both present by default), and the attacker must supply a source URL that resolves to an IPv4-mapped IPv6 address so it bypasses isBlockedIP(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, base 7.7) models this as network-reachable, low-complexity, unauthenticated exploitation whose impact falls entirely on subsequent systems (SC:H) rather than the Monsta FTP host itself (VC:N/VI:N/VA:N) - an accurate reflection of SSRF that reads OTHER internal services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed Monsta FTP instance, requests a CSRF token from the public getSystemVars endpoint, then submits a fetchRemoteFile request with a source URL pointing at an IPv4-mapped IPv6 address (e.g. resolving to ::ffff:169.254.169.254) that the isBlockedIP() filter fails to block. …
Remediation Vendor-released patch: 2.14.5 - upgrade Monsta FTP to 2.14.5 or later, which corrects the isBlockedIP() logic to detect IPv4-mapped IPv6 addresses; see the release notes at https://www.monstaftp.com/notes/ and the advisory at https://www.vulncheck.com/advisories/monsta-ftp-ssrf-via-ipv4-mapped-ipv6-address-bypass. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Monsta FTP deployments, document versions, and immediately restrict network access from untrusted sources via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-60105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy