CVE-2025-34086 is a high-severity vulnerability affecting Bolt CMS versions 3.7.0 and earlier, which have reached end-of-life as of December 31, 2021. The vulnerability is a chain of issues that collectively enable an authenticated user to achieve remote code execution (RCE) on the affected system. Specifically, an attacker with valid credentials can inject arbitrary PHP code into the 'displayname' field of their user profile. This field is rendered unsanitized in backend templates, leading to code injection (CWE-94). Subsequently, the attacker can manipulate cached session files through the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path within the publicly accessible /files/ directory and changing its extension to .php, the attacker effectively creates a web shell containing the injected PHP code. The attacker then triggers the malicious payload by sending a crafted HTTP GET request to the renamed file, resulting in remote code execution on the server. This vulnerability exploits improper input sanitization and insecure file handling mechanisms within Bolt CMS. The CVSS 4.0 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, partial authentication required, partial user interaction, and high impact on confidentiality, integrity, and availability. No official patches are available since the product is end-of-life, increasing the risk for unpatched systems. No known exploits in the wild have been reported yet, but the exploitability is significant given the low complexity and the ability to leverage authenticated access to escalate privileges to full RCE.

For European organizations using Bolt CMS 3.7.0 or earlier, this vulnerability poses a critical risk. Successful exploitation allows attackers to execute arbitrary PHP code remotely, potentially leading to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidentiality is severely impacted as attackers can access sensitive data stored or processed by the CMS. Integrity is compromised by the ability to modify content or system files, and availability can be disrupted by malicious payloads or denial-of-service conditions triggered via the web shell. Since Bolt CMS is used by various organizations for content management, including SMEs and possibly public sector entities, the impact could extend to disruption of business operations and reputational damage. The lack of vendor support and patches increases the risk for organizations that have not migrated to newer CMS platforms. Additionally, the requirement for valid credentials means insider threats or compromised user accounts could be leveraged to exploit this vulnerability. European organizations with Bolt CMS installations exposed to the internet are particularly vulnerable to remote exploitation attempts.

Given the end-of-life status of Bolt CMS 3.x, the primary mitigation is to upgrade to a supported CMS platform or a newer version that does not contain this vulnerability. If upgrading is not immediately feasible, organizations should implement strict access controls to limit authenticated user privileges, ensuring that only trusted users have profile editing capabilities. Web application firewalls (WAFs) should be configured to detect and block suspicious requests targeting the /async/browse/cache/.sessions and /async/folder/rename endpoints, as well as attempts to access or rename session files. Monitoring and logging of user profile changes, especially to the displayname field, should be enhanced to detect anomalous input patterns indicative of code injection attempts. Restricting public access to the /files/ directory or disabling execution of PHP scripts in this directory via web server configuration can prevent the execution of the injected web shell. Regular audits of session files and file system permissions should be conducted to detect unauthorized renaming or creation of PHP files. Finally, organizations should enforce strong authentication mechanisms and monitor for compromised credentials to reduce the risk of authenticated exploitation.