cbcvebase.
CVE-2025-34086
published 2025-07-03

CVE-2025-34086: Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.15%
79.8th percentile
Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.

Affected

3 ranges
VendorProductVersion rangeFixed in
boltbolt0 – 3.7.0
boltcms<= 3.7.0
boltcmsbolt<= 3.7.0

Detection & IOCsextracted from sources · hover to see the quote

url/bolt/profile
url/async/browse/cache/.sessions
url/async/folder/rename
url/files/?=
commandsystem($_GET[""])
  • Monitor POST requests to /async/folder/rename for session file rename operations targeting the /files/ directory with a .php extension — this is the pivot step that converts a .session file into a web shell.
  • Alert on GET requests to /async/browse/cache/.sessions by authenticated users — this endpoint is used to enumerate session tokens for exploitation.
  • Detect PHP code injection in the displayname/username profile field — specifically patterns like system($_GET[...]) being submitted to /bolt/profile.
  • Alert on GET requests to /files/*.php — especially those containing query parameters used to pass OS commands, indicating web shell execution.
  • Detect the full exploit chain: authenticated POST to /bolt/profile with PHP payload → GET to /async/browse/cache/.sessions → POST to /async/folder/rename → GET to /files/*.php — all within a short time window from the same session.
  • ·The exploit requires valid authenticated credentials for a Bolt CMS user — unauthenticated exploitation is not possible. Ensure strong credential hygiene and monitor for brute-force attempts against /bolt/login.
  • ·Bolt 3 reached end-of-life after 31 December 2021 — no vendor patch will be issued. Affected versions include 3.7.0 and 3.6.*.
  • ·The module was validated against Bolt CMS 3.7.0 on CentOS 7; behavior on other OS/configurations may differ.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.5HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.