CVE-2026-60105
Monsta Limited · Monsta FTP
Monsta FTP contains a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass address restrictions via IPv4-mapped IPv6 addresses.
Executive summary
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Monsta FTP allows attackers to bypass security controls and interact with internal network resources.
Vulnerability
The vulnerability (CWE-918) arises from the improper handling of IPv4-mapped IPv6 addresses. An unauthenticated attacker can leverage this flaw to trick the server into making arbitrary requests to internal network services, effectively bypassing existing security perimeters.
Business impact
The CVSS score of 8.6 underscores the severity of this SSRF flaw. By bypassing internal network access controls, an attacker could probe internal services, access metadata endpoints, or interact with databases that are not intended to be exposed to the public internet, potentially leading to significant data exposure or further system compromise.
Remediation
Immediate Action: Update Monsta FTP to version 2.14.5 or later to apply the necessary security fixes for address validation.
Proactive Monitoring: Review web server and application logs for unusual outbound requests or attempts to connect to internal IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16) originating from the Monsta FTP application.
Compensating Controls: Restrict the outbound network access of the server hosting Monsta FTP using an egress firewall policy to block connections to sensitive internal infrastructure.
Exploitation status
Public Exploit Available: false
Analyst recommendation
SSRF vulnerabilities are critical entry points for lateral movement within a network. Administrators must update to the latest version of Monsta FTP immediately and review existing network egress rules to minimize the blast radius of any potential SSRF attempt.