{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/monsta-ftp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-60105"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Monsta FTP \u003c 2.14.5"],"_cs_severities":["high"],"_cs_tags":["server-side-request-forgery","vulnerability","web-application","credential-access"],"_cs_type":"advisory","_cs_vendors":["Monsta FTP"],"content_html":"\u003cp\u003eMonsta FTP versions prior to 2.14.5 are vulnerable to a Server-Side Request Forgery (SSRF) flaw, identified as CVE-2026-60105. This vulnerability stems from an incomplete IP blocklist check within the \u003ccode\u003eisBlockedIP()\u003c/code\u003e function, which fails to correctly identify and block embedded IPv4 addresses present in IPv4-mapped IPv6 address formats. An unauthenticated attacker can leverage a publicly accessible endpoint, \u003ccode\u003egetSystemVars\u003c/code\u003e, to obtain a CSRF token. With this token, the attacker can then submit a crafted request to the \u003ccode\u003efetchRemoteFile\u003c/code\u003e action. By specifying a source URL that resolves to an IPv4-mapped IPv6 address, the attacker can bypass Monsta FTP's internal IP filtering. This forces the vulnerable Monsta FTP server to initiate HTTP requests to internal network services, such as cloud instance metadata APIs, and then relay the responses to an attacker-controlled FTP server, leading to potential exposure of sensitive cloud credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker accesses the public \u003ccode\u003e/getSystemVars\u003c/code\u003e endpoint on the vulnerable Monsta FTP instance to retrieve a CSRF token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ePOST\u003c/code\u003e request targeting the \u003ccode\u003efetchRemoteFile\u003c/code\u003e action, including the obtained CSRF token.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003efetchRemoteFile\u003c/code\u003e request, the attacker specifies a \u003ccode\u003esourceUrl\u003c/code\u003e parameter containing an IPv4-mapped IPv6 address (e.g., \u003ccode\u003ehttp://[::ffff:169.254.169.254]/latest/meta-data/\u003c/code\u003e) pointing to an internal service, such as a cloud instance metadata API.\u003c/li\u003e\n\u003cli\u003eThe Monsta FTP server's \u003ccode\u003eisBlockedIP()\u003c/code\u003e function performs an incomplete IP blocklist check, failing to detect the embedded internal IPv4 address within the IPv4-mapped IPv6 format.\u003c/li\u003e\n\u003cli\u003eMonsta FTP then initiates an HTTP GET request from the server itself to the internal \u003ccode\u003esourceUrl\u003c/code\u003e specified by the attacker, effectively bypassing network segmentation.\u003c/li\u003e\n\u003cli\u003eThe server receives the response from the internal service (e.g., cloud metadata credentials).\u003c/li\u003e\n\u003cli\u003eMonsta FTP subsequently writes this retrieved internal service response to an attacker-controlled FTP destination specified in the \u003ccode\u003efetchRemoteFile\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the sensitive cloud instance metadata credentials from their controlled FTP server, achieving credential access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-60105 by an unauthenticated attacker allows for Server-Side Request Forgery (SSRF), which can lead to significant compromise. The primary impact is the unauthorized retrieval of sensitive data, specifically cloud instance metadata credentials. If obtained, these credentials could grant the attacker extensive access to cloud resources, including virtual machines, storage buckets, and other cloud services associated with the compromised instance. This could result in further lateral movement, data exfiltration, or even complete takeover of the affected cloud environment, depending on the scope of the exposed credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-60105 immediately by upgrading Monsta FTP to version 2.14.5 or later.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect attempts to exploit CVE-2026-60105.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging for your Monsta FTP instance to capture \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e for all requests, particularly those hitting the \u003ccode\u003e/index.php\u003c/code\u003e path with \u003ccode\u003eaction=fetchRemoteFile\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T21:19:16Z","date_published":"2026-07-08T21:19:16Z","id":"https://feed.craftedsignal.io/briefs/2026-07-monsta-ftp-ssrf/","summary":"An unauthenticated attacker can exploit CVE-2026-60105, a Server-Side Request Forgery vulnerability in Monsta FTP before 2.14.5, by leveraging an incomplete IP blocklist check with IPv4-mapped IPv6 addresses to force the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, potentially enabling retrieval of cloud instance metadata credentials.","title":"CVE-2026-60105: Monsta FTP SSRF Vulnerability Leading to Credential Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-07-monsta-ftp-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Monsta FTP","version":"https://jsonfeed.org/version/1.1"}