CVE-2025-34086 is a chain of vulnerabilities in Bolt CMS version 3.7.0 and earlier that enables an authenticated user to perform remote code execution (RCE) through improper input sanitization and insecure file handling. The vulnerability stems from the displayname field in user profiles, which accepts arbitrary PHP code that is rendered unsanitized within backend templates, constituting a CWE-94 (Improper Control of Generation of Code) weakness. An attacker with valid credentials can inject malicious PHP code into this field. Subsequently, the attacker exploits endpoints /async/browse/cache/.sessions and /async/folder/rename to list and rename cached session files. By renaming a .session file to a .php file placed under the publicly accessible /files/ directory, the attacker effectively creates a web shell containing the injected PHP code. This web shell can then be triggered remotely via a crafted HTTP GET request, allowing execution of arbitrary commands on the server. The vulnerability requires authentication and some user interaction but does not require administrative privileges. The CVSS 4.0 score is 7.5 (high), reflecting the network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Notably, Bolt CMS 3 reached end-of-life on 31 December 2021, so no official patches exist, increasing the risk for organizations still running these versions. The vulnerability combines CWE-94 (code injection) and CWE-434 (unrestricted upload of file with dangerous type) characteristics due to the file renaming and execution mechanism. No known exploits are currently reported in the wild, but the exploitability is straightforward for authenticated users. This vulnerability highlights the risks of running unsupported CMS versions and the importance of input sanitization and secure file handling in web applications.

For European organizations, this vulnerability poses a significant risk, particularly for those using outdated Bolt CMS 3 installations for public-facing websites or intranet portals. Successful exploitation results in remote code execution, allowing attackers to execute arbitrary commands, potentially leading to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks. The requirement for valid credentials limits exposure to insider threats or compromised user accounts but remains critical given the ease of injecting code and creating web shells. The ability to rename session files to executable PHP scripts in a public directory increases the attack surface and bypasses typical upload restrictions. Organizations in sectors with high web presence, such as media, education, and government, may face reputational damage and regulatory penalties under GDPR if personal data confidentiality and integrity are compromised. Additionally, the lack of vendor support for Bolt CMS 3 means no official patches are available, increasing the risk of prolonged exposure. Attackers could leverage this vulnerability to establish persistent access, disrupt services, or launch further attacks within European networks.

Given that Bolt CMS 3 is end-of-life and no official patches exist, the primary mitigation is to upgrade to a supported version of Bolt CMS or migrate to a different, actively maintained CMS platform. If immediate upgrade is not feasible, organizations should restrict access to the vulnerable backend endpoints (/async/browse/cache/.sessions and /async/folder/rename) using network-level controls such as firewalls or web application firewalls (WAFs). Implement strict access controls and multi-factor authentication (MFA) to reduce the risk of credential compromise. Sanitize and validate all user inputs rigorously, especially fields rendered in backend templates, to prevent code injection. Monitor file system activity for suspicious renaming of session files or creation of PHP files in public directories. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of web shell activity. Regularly audit user accounts and permissions to limit authenticated users to the minimum necessary privileges. Finally, conduct security awareness training to reduce the risk of credential theft and insider threats.