Cyber Resilience

CVE-2025-34086

HighPublic PoCRCE

Published: 03 July 2025

Published
03 July 2025
Modified
16 September 2025
KEV Added
Patch
CVSS Score v4 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.6740 98.6th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34086 is a high-severity Code Injection (CWE-94) vulnerability in Boltcms Bolt. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Bolt CMS versions 3.7.0 and earlier are affected by a chain of vulnerabilities that enable remote code execution. An authenticated user can inject arbitrary PHP code into the displayname field of their profile, which is rendered without sanitization in backend templates. The attacker can then abuse the /async/browse/cache/.sessions and /async/folder/rename endpoints to list and rename cached session files, moving a renamed .session file with a .php extension into the publicly accessible /files/ directory to create an executable web shell.

An attacker with valid credentials can exploit the issue to achieve full remote code execution on the server. The sequence begins with profile injection, proceeds through file manipulation to expose the payload, and ends with a crafted HTTP GET request that executes the shell. The CVSS 7.5 score and associated CWEs (CWE-94 and CWE-434) reflect the combination of code injection and unrestricted file upload/rename behavior.

Bolt 3 reached end-of-life after 31 December 2021, though a 3.7.1 release exists. Public exploit code is available, including a Metasploit module and an Exploit-DB entry. The EPSS score stands at 0.6740 with no material rise from a lower baseline.

EU & UK References

Vulnerability details

Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile,…

more

which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

boltcms
bolt
≤ 3.7.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434 CWE-94

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References