CVE-2025-34086 Overview
CVE-2025-34086 is an authenticated remote code execution vulnerability affecting Bolt CMS versions 3.7.0 and earlier. The flaw chains PHP code injection in the user profile displayname field with session file manipulation through the /async/browse/cache/.sessions and /async/folder/rename endpoints. An authenticated attacker renames a cached session file containing injected PHP code into the public /files/ directory with a .php extension. Triggering the renamed file via an HTTP GET request executes the payload as a web shell. The vendor confirmed that Bolt 3 reached end-of-life after December 31, 2021, and will not receive further patches for this branch [CWE-94].
Critical Impact
Authenticated attackers can achieve remote code execution on Bolt CMS 3.x installations. A public Metasploit module and Exploit-DB entry exist, and the EPSS score of 67.402% places this in the 98th percentile of likely-exploited CVEs.
Affected Products
- Bolt CMS versions 3.7.0 and earlier
- Bolt 3.x branch (end-of-life after December 31, 2021)
- Installations exposing the backend /async/ endpoints to authenticated users
Discovery Timeline
- 2025-07-03 - CVE-2025-34086 published to NVD
- 2025-09-16 - Last updated in NVD database
Technical Details for CVE-2025-34086
Vulnerability Analysis
The vulnerability is a multi-step exploitation chain rather than a single flaw. An attacker with valid backend credentials submits arbitrary PHP code in the displayname field of their user profile. Bolt CMS renders this field without sanitization in backend templates, causing the payload to be cached inside a PHP session file on the server.
The attacker then enumerates cached session files through the /async/browse/cache/.sessions endpoint. Using the /async/folder/rename endpoint, the attacker moves the session file to the publicly accessible /files/ directory and changes its extension to .php. A standard HTTP GET request to the relocated file forces the web server to interpret and execute the embedded PHP code.
Root Cause
The root cause is improper neutralization of user-supplied input written to template output combined with overly permissive backend file management endpoints. The displayname field is treated as trusted template data, and the /async/folder/rename endpoint does not restrict source paths, destination paths, or file extensions.
Attack Vector
Exploitation requires network access to the Bolt backend and valid authenticated credentials. The attack proceeds in four stages: inject PHP via profile update, enumerate session files, rename a session file to /files/<name>.php, and request the renamed file to execute the payload. Public exploit code is available through the Rapid7 Bolt Authenticated RCE Module and Exploit-DB #48296. See the Metasploit module source for the full exploitation sequence.
Detection Methods for CVE-2025-34086
Indicators of Compromise
- PHP files appearing under the web-accessible /files/ directory with names matching session identifier patterns
- HTTP POST requests to /async/folder/rename where the source path references app/cache/.sessions or destination ends in .php
- HTTP GET requests to /async/browse/cache/.sessions from authenticated backend users
- User profile updates containing PHP tags (<?php, <?=) in the displayname field
Detection Strategies
- Inspect web server access logs for sequential requests to /async/browse/cache/.sessions, /async/folder/rename, and /files/*.php
- Monitor the application database or profile change events for displayname values containing PHP syntax or HTML script delimiters
- Alert on creation of .php files in directories that should only contain user-uploaded media
Monitoring Recommendations
- Enable file integrity monitoring on the Bolt /files/ and app/cache/.sessions directories
- Forward web server and application logs to a centralized SIEM for correlation across the four-stage attack chain
- Track authentication events for Bolt backend users and review accounts that perform profile edits followed by file operations
How to Mitigate CVE-2025-34086
Immediate Actions Required
- Migrate off Bolt 3.x to a supported Bolt 4.x or 5.x release, as Bolt 3 is end-of-life and will not receive a patch for this issue
- Audit all backend user accounts and remove unused or stale credentials that could be leveraged for authenticated exploitation
- Block external access to the /async/ administrative endpoints using a reverse proxy or web application firewall
- Scan the /files/ directory for unauthorized .php files and remove any artifacts of prior exploitation
Patch Information
No security patch is available for the Bolt 3.x branch. According to the BoltCMS Major Announcements, Bolt 3 reached end-of-life after December 31, 2021. The Bolt 3.7.1 release does not remediate this chain. Operators should upgrade to a currently supported major version.
Workarounds
- Configure the web server to refuse PHP execution within the /files/ directory using directives such as php_flag engine off or an Nginx location block that disables the PHP handler
- Restrict access to the Bolt backend (/bolt/ and /async/) by source IP through firewall or reverse proxy rules
- Enforce strong, unique passwords and multi-factor authentication on all backend accounts to raise the bar for the authenticated prerequisite
- Set file system permissions so the web server user cannot write .php files into web-accessible upload directories
# Nginx: disable PHP execution inside the public /files/ directory
location ^~ /files/ {
location ~ \.php$ {
return 403;
}
}
# Apache: equivalent restriction via .htaccess in /files/
# <FilesMatch "\.php$">
# Require all denied
# </FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
