CVE-2025-34086 – This vulnerability allows authenticated users i... (How to Fix)

Q: What is the severity of CVE-2025-34086?

CVE-2025-34086 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users in Bolt CMS 3.7.0 and earlier to achieve remote code execution through a chain of flaws. Attackers can inject PHP code into user profiles, manipulate session cache files, and execute the code as a web shell. Organizations running end-of-life Bolt 3 installations are affected.

📋 TL;DR

This vulnerability allows authenticated users in Bolt CMS 3.7.0 and earlier to achieve remote code execution through a chain of flaws. Attackers can inject PHP code into user profiles, manipulate session cache files, and execute the code as a web shell. Organizations running end-of-life Bolt 3 installations are affected.

💻 Affected Systems

Products:

Bolt CMS

Versions: 3.7.0 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Bolt 3 reached end-of-life on December 31, 2021, so no official patches are available for this version.

📦 What is this software?

Bolt by Boltcms

View all CVEs affecting Bolt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Attackers gain web shell access to the server, enabling data theft, defacement, and further exploitation of the hosting environment.

🟢

If Mitigated

With proper authentication controls and file system restrictions, impact is limited to authenticated user privilege escalation within the CMS.

🌐 Internet-Facing: HIGH - Web applications are typically internet-facing, and authenticated users can exploit this from anywhere.

🏢 Internal Only: MEDIUM - Internal authenticated users could still exploit this, but requires valid credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and multiple steps (injection, file manipulation, execution), but Metasploit module exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://boltcms.io/newsitem/major-announcements-bolt-3-eol-bolt-4-2-5-0-releases

Restart Required: No

Instructions:

Upgrade to Bolt 4 or Bolt 5, as Bolt 3 is end-of-life and has no official patch. Migrate data to supported version.

🔧 Temporary Workarounds

Input Sanitization

all

Add custom validation to sanitize displayname field inputs to prevent PHP code injection

Implement input filtering in user profile editing functionality

File Permission Restrictions

linux

Restrict write permissions to session cache directory and prevent PHP execution in /files/ directory

chmod 755 /path/to/bolt/.sessions
Add 'php_flag engine off' to .htaccess in /files/ directory

🧯 If You Can't Patch

Implement strict access controls and monitor authenticated user activity
Deploy web application firewall with rules to detect PHP injection and suspicious file operations

🔍 How to Verify

Check if Vulnerable:

Check Bolt CMS version in admin panel or via composer show bolt/bolt

Check Version:

composer show bolt/bolt | grep version

Verify Fix Applied:

Verify upgrade to Bolt 4+ or test that PHP code in displayname field doesn't execute

📡 Detection & Monitoring

Log Indicators:

Unusual user profile updates with PHP code patterns
File rename operations in .sessions directory
HTTP requests to .php files in /files/ directory

Network Indicators:

POST requests to /async/folder/rename with suspicious parameters
GET requests to unexpected .php files

SIEM Query:

source="web_logs" AND (uri="/async/folder/rename" OR uri LIKE "%.php") AND status=200

📊 Metadata

CVE ID: CVE-2025-34086

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 50.83% exploit probability (97.8th percentile)

Published: July 3, 2025

Last Updated: September 16, 2025

🔗 References

https://boltcms.io/newsitem/major-announcements-bolt-3-eol-bolt-4-2-5-0-releases Release Notes
https://github.com/bolt/bolt Product
https://github.com/bolt/bolt/releases/tag/3.7.1 Release Notes
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/bolt_authenticated_rce.rb Exploit
https://www.exploit-db.com/exploits/48296 Exploit,VDB Entry
https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34086, you might also want to check these: