CVE-2025-34086: CWE-94 Improper Control of Generation of Code ('Code Injection') in Bolt CMS
Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.
AI Analysis
Technical Summary
CVE-2025-34086 is a high-severity vulnerability affecting Bolt CMS versions 3.7.0 and earlier, which have reached end-of-life as of December 31, 2021. The vulnerability is a chain of issues that collectively enable an authenticated user to achieve remote code execution (RCE) on the affected system. Specifically, an attacker with valid credentials can inject arbitrary PHP code into the 'displayname' field of their user profile. This field is rendered unsanitized in backend templates, leading to code injection (CWE-94). Subsequently, the attacker can manipulate cached session files through the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path within the publicly accessible /files/ directory and changing its extension to .php, the attacker effectively creates a web shell containing the injected PHP code. The attacker then triggers the malicious payload by sending a crafted HTTP GET request to the renamed file, resulting in remote code execution on the server. This vulnerability exploits improper input sanitization and insecure file handling mechanisms within Bolt CMS. The CVSS 4.0 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, partial authentication required, partial user interaction, and high impact on confidentiality, integrity, and availability. No official patches are available since the product is end-of-life, increasing the risk for unpatched systems. No known exploits in the wild have been reported yet, but the exploitability is significant given the low complexity and the ability to leverage authenticated access to escalate privileges to full RCE.
Potential Impact
For European organizations using Bolt CMS 3.7.0 or earlier, this vulnerability poses a critical risk. Successful exploitation allows attackers to execute arbitrary PHP code remotely, potentially leading to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidentiality is severely impacted as attackers can access sensitive data stored or processed by the CMS. Integrity is compromised by the ability to modify content or system files, and availability can be disrupted by malicious payloads or denial-of-service conditions triggered via the web shell. Since Bolt CMS is used by various organizations for content management, including SMEs and possibly public sector entities, the impact could extend to disruption of business operations and reputational damage. The lack of vendor support and patches increases the risk for organizations that have not migrated to newer CMS platforms. Additionally, the requirement for valid credentials means insider threats or compromised user accounts could be leveraged to exploit this vulnerability. European organizations with Bolt CMS installations exposed to the internet are particularly vulnerable to remote exploitation attempts.
Mitigation Recommendations
Given the end-of-life status of Bolt CMS 3.x, the primary mitigation is to upgrade to a supported CMS platform or a newer version that does not contain this vulnerability. If upgrading is not immediately feasible, organizations should implement strict access controls to limit authenticated user privileges, ensuring that only trusted users have profile editing capabilities. Web application firewalls (WAFs) should be configured to detect and block suspicious requests targeting the /async/browse/cache/.sessions and /async/folder/rename endpoints, as well as attempts to access or rename session files. Monitoring and logging of user profile changes, especially to the displayname field, should be enhanced to detect anomalous input patterns indicative of code injection attempts. Restricting public access to the /files/ directory or disabling execution of PHP scripts in this directory via web server configuration can prevent the execution of the injected web shell. Regular audits of session files and file system permissions should be conducted to detect unauthorized renaming or creation of PHP files. Finally, organizations should enforce strong authentication mechanisms and monitor for compromised credentials to reduce the risk of authenticated exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Austria
CVE-2025-34086: CWE-94 Improper Control of Generation of Code ('Code Injection') in Bolt CMS
Description
Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.
AI-Powered Analysis
Technical Analysis
CVE-2025-34086 is a high-severity vulnerability affecting Bolt CMS versions 3.7.0 and earlier, which have reached end-of-life as of December 31, 2021. The vulnerability is a chain of issues that collectively enable an authenticated user to achieve remote code execution (RCE) on the affected system. Specifically, an attacker with valid credentials can inject arbitrary PHP code into the 'displayname' field of their user profile. This field is rendered unsanitized in backend templates, leading to code injection (CWE-94). Subsequently, the attacker can manipulate cached session files through the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path within the publicly accessible /files/ directory and changing its extension to .php, the attacker effectively creates a web shell containing the injected PHP code. The attacker then triggers the malicious payload by sending a crafted HTTP GET request to the renamed file, resulting in remote code execution on the server. This vulnerability exploits improper input sanitization and insecure file handling mechanisms within Bolt CMS. The CVSS 4.0 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, partial authentication required, partial user interaction, and high impact on confidentiality, integrity, and availability. No official patches are available since the product is end-of-life, increasing the risk for unpatched systems. No known exploits in the wild have been reported yet, but the exploitability is significant given the low complexity and the ability to leverage authenticated access to escalate privileges to full RCE.
Potential Impact
For European organizations using Bolt CMS 3.7.0 or earlier, this vulnerability poses a critical risk. Successful exploitation allows attackers to execute arbitrary PHP code remotely, potentially leading to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidentiality is severely impacted as attackers can access sensitive data stored or processed by the CMS. Integrity is compromised by the ability to modify content or system files, and availability can be disrupted by malicious payloads or denial-of-service conditions triggered via the web shell. Since Bolt CMS is used by various organizations for content management, including SMEs and possibly public sector entities, the impact could extend to disruption of business operations and reputational damage. The lack of vendor support and patches increases the risk for organizations that have not migrated to newer CMS platforms. Additionally, the requirement for valid credentials means insider threats or compromised user accounts could be leveraged to exploit this vulnerability. European organizations with Bolt CMS installations exposed to the internet are particularly vulnerable to remote exploitation attempts.
Mitigation Recommendations
Given the end-of-life status of Bolt CMS 3.x, the primary mitigation is to upgrade to a supported CMS platform or a newer version that does not contain this vulnerability. If upgrading is not immediately feasible, organizations should implement strict access controls to limit authenticated user privileges, ensuring that only trusted users have profile editing capabilities. Web application firewalls (WAFs) should be configured to detect and block suspicious requests targeting the /async/browse/cache/.sessions and /async/folder/rename endpoints, as well as attempts to access or rename session files. Monitoring and logging of user profile changes, especially to the displayname field, should be enhanced to detect anomalous input patterns indicative of code injection attempts. Restricting public access to the /files/ directory or disabling execution of PHP scripts in this directory via web server configuration can prevent the execution of the injected web shell. Regular audits of session files and file system permissions should be conducted to detect unauthorized renaming or creation of PHP files. Finally, organizations should enforce strong authentication mechanisms and monitor for compromised credentials to reduce the risk of authenticated exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.551Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6866dff66f40f0eb729b6244
Added to database: 7/3/2025, 7:54:30 PM
Last enriched: 7/3/2025, 8:10:27 PM
Last updated: 7/7/2025, 7:09:25 PM
Views: 5
Related Threats
CVE-2025-5023: CWE-798 Use of Hard-coded Credentials in Mitsubishi Electric Corporation PV-DR004J
HighCVE-2025-5022: CWE-521 Weak Password Requirements in Mitsubishi Electric Corporation PV-DR004J
MediumCVE-2025-32989: Improper Certificate Validation in Red Hat Red Hat Enterprise Linux 10
MediumCVE-2025-32988: Double Free in Red Hat Red Hat Enterprise Linux 10
MediumCVE-2025-6236: CWE-79 Cross-Site Scripting (XSS) in Hostel
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.