PatchSiren cyber security CVE debrief
CVE-2026-60105 Monsta Limited of New Zealand CVE debrief
CVE-2026-60105 is a server-side request forgery vulnerability in Monsta FTP before 2.14.5. The vulnerability is caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials. This vulnerability allows for potential exposure of sensitive information and internal services.
- Vendor
- Monsta Limited of New Zealand
- Product
- Monsta FTP
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of Monsta FTP versions before 2.14.5 should be aware of this vulnerability and take immediate action to update to the latest version. Additionally, security teams and researchers should be aware of the potential for exploitation and monitor for suspicious activity.
Technical summary
The vulnerability is caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. This allows an unauthenticated attacker to submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination. The technical impact is that an attacker can potentially retrieve cloud instance metadata credentials.
Defensive priority
High
Recommended defensive actions
- Update Monsta FTP to version 2.14.5 or later
- Restrict access to the getSystemVars endpoint
- Monitor for suspicious activity and implement additional security measures to detect and prevent exploitation
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-08T21:16:54.813Z and was last modified on 2026-07-10T18:46:32.250Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify Monsta FTP version and update status.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:54.813Z and has not been modified since then. The NVD entry is currently Deferred.