PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-60105 Monsta Limited of New Zealand CVE debrief

CVE-2026-60105 is a server-side request forgery vulnerability in Monsta FTP before 2.14.5. The vulnerability is caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials. This vulnerability allows for potential exposure of sensitive information and internal services.

Vendor
Monsta Limited of New Zealand
Product
Monsta FTP
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Administrators and users of Monsta FTP versions before 2.14.5 should be aware of this vulnerability and take immediate action to update to the latest version. Additionally, security teams and researchers should be aware of the potential for exploitation and monitor for suspicious activity.

Technical summary

The vulnerability is caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. This allows an unauthenticated attacker to submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination. The technical impact is that an attacker can potentially retrieve cloud instance metadata credentials.

Defensive priority

High

Recommended defensive actions

  • Update Monsta FTP to version 2.14.5 or later
  • Restrict access to the getSystemVars endpoint
  • Monitor for suspicious activity and implement additional security measures to detect and prevent exploitation
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-08T21:16:54.813Z and was last modified on 2026-07-10T18:46:32.250Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify Monsta FTP version and update status.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:54.813Z and has not been modified since then. The NVD entry is currently Deferred.