Skip to main content

CVE-2025-34086: CWE-94 Improper Control of Generation of Code ('Code Injection') in Bolt CMS

High
VulnerabilityCVE-2025-34086cvecve-2025-34086cwe-94cwe-434
Published: Thu Jul 03 2025 (07/03/2025, 19:46:16 UTC)
Source: CVE Database V5
Vendor/Project: Bolt
Product: CMS

Description

Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.

AI-Powered Analysis

AILast updated: 07/03/2025, 20:10:27 UTC

Technical Analysis

CVE-2025-34086 is a high-severity vulnerability affecting Bolt CMS versions 3.7.0 and earlier, which have reached end-of-life as of December 31, 2021. The vulnerability is a chain of issues that collectively enable an authenticated user to achieve remote code execution (RCE) on the affected system. Specifically, an attacker with valid credentials can inject arbitrary PHP code into the 'displayname' field of their user profile. This field is rendered unsanitized in backend templates, leading to code injection (CWE-94). Subsequently, the attacker can manipulate cached session files through the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path within the publicly accessible /files/ directory and changing its extension to .php, the attacker effectively creates a web shell containing the injected PHP code. The attacker then triggers the malicious payload by sending a crafted HTTP GET request to the renamed file, resulting in remote code execution on the server. This vulnerability exploits improper input sanitization and insecure file handling mechanisms within Bolt CMS. The CVSS 4.0 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, partial authentication required, partial user interaction, and high impact on confidentiality, integrity, and availability. No official patches are available since the product is end-of-life, increasing the risk for unpatched systems. No known exploits in the wild have been reported yet, but the exploitability is significant given the low complexity and the ability to leverage authenticated access to escalate privileges to full RCE.

Potential Impact

For European organizations using Bolt CMS 3.7.0 or earlier, this vulnerability poses a critical risk. Successful exploitation allows attackers to execute arbitrary PHP code remotely, potentially leading to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidentiality is severely impacted as attackers can access sensitive data stored or processed by the CMS. Integrity is compromised by the ability to modify content or system files, and availability can be disrupted by malicious payloads or denial-of-service conditions triggered via the web shell. Since Bolt CMS is used by various organizations for content management, including SMEs and possibly public sector entities, the impact could extend to disruption of business operations and reputational damage. The lack of vendor support and patches increases the risk for organizations that have not migrated to newer CMS platforms. Additionally, the requirement for valid credentials means insider threats or compromised user accounts could be leveraged to exploit this vulnerability. European organizations with Bolt CMS installations exposed to the internet are particularly vulnerable to remote exploitation attempts.

Mitigation Recommendations

Given the end-of-life status of Bolt CMS 3.x, the primary mitigation is to upgrade to a supported CMS platform or a newer version that does not contain this vulnerability. If upgrading is not immediately feasible, organizations should implement strict access controls to limit authenticated user privileges, ensuring that only trusted users have profile editing capabilities. Web application firewalls (WAFs) should be configured to detect and block suspicious requests targeting the /async/browse/cache/.sessions and /async/folder/rename endpoints, as well as attempts to access or rename session files. Monitoring and logging of user profile changes, especially to the displayname field, should be enhanced to detect anomalous input patterns indicative of code injection attempts. Restricting public access to the /files/ directory or disabling execution of PHP scripts in this directory via web server configuration can prevent the execution of the injected web shell. Regular audits of session files and file system permissions should be conducted to detect unauthorized renaming or creation of PHP files. Finally, organizations should enforce strong authentication mechanisms and monitor for compromised credentials to reduce the risk of authenticated exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulnCheck
Date Reserved
2025-04-15T19:15:22.551Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6866dff66f40f0eb729b6244

Added to database: 7/3/2025, 7:54:30 PM

Last enriched: 7/3/2025, 8:10:27 PM

Last updated: 7/7/2025, 7:09:25 PM

Views: 5

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats