CVE-2025-34086
BaseFortify
Publication date: 2025-07-03
Last updated on: 2025-09-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| boltcms | bolt | to 3.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Bolt CMS versions 3.7.0 and earlier allows an authenticated user to execute remote code on the server. The attacker injects arbitrary PHP code into the displayname field of their user profile, which is rendered without sanitization in backend templates. They then rename cached session files to have a .php extension in a publicly accessible directory, turning these files into executable web shells. Finally, the attacker triggers the malicious PHP code via crafted HTTP GET requests, enabling remote command execution. [2, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an authenticated user to execute arbitrary system commands on the server hosting Bolt CMS. This can lead to full remote code execution, potentially compromising the server, accessing sensitive data, modifying or deleting files, and disrupting service availability. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized PHP code injection in the user profile displayname field and by monitoring for suspicious file renaming activities involving session files being renamed to .php files in the publicly accessible /files/ directory. Commands to detect this may include: 1. Inspecting user profiles for PHP code in the displayname field. 2. Checking the /files/ directory for unexpected .php files that could be web shells. 3. Monitoring HTTP requests to /async/browse/cache/.sessions and /async/folder/rename endpoints for unusual activity. For example, you can use curl or wget to check for suspicious files: - List files in the /files/ directory via HTTP GET requests. - Attempt to access any .php files in /files/ to see if they execute commands. Additionally, reviewing web server logs for requests to .php files in /files/ or unusual GET parameters may help detect exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Upgrade Bolt CMS to version 3.7.1 or later, which includes security fixes preventing file renaming to blacklisted file types and adds CSRF protections. 2. Restrict or disable user profile editing capabilities for untrusted users to prevent PHP code injection. 3. Monitor and restrict access to the /async/browse/cache/.sessions and /async/folder/rename endpoints. 4. Remove any suspicious .php files from the /files/ directory. 5. If upgrading immediately is not possible, consider disabling or restricting authenticated user access to vulnerable endpoints and monitor for suspicious activity. The vendor has ended support for Bolt 3 after December 31, 2021, so upgrading to a supported version or applying available patches is critical. [1, 2, 3]