cbcvebase.
CVE-2025-54068
published 2025-07-17

CVE-2025-54068: Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-04-03
Exploited in the wild
EPSS
95.38%
99.9th percentile
Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

Affected

3 ranges
VendorProductVersion rangeFixed in
laravellivewire>= 3.0.0 < 3.6.43.6.4
livewirelivewire
livewirelivewire>= 3.0.0-beta.1 < 3.6.43.6.4

Detection & IOCsextracted from sources · hover to see the quote

  • Identify Livewire-enabled pages by checking for the presence of 'wire:snapshot=', 'data-update-uri=', and 'data-csrf=' or 'csrf-token' in HTTP response bodies — these are prerequisites for exploitation.
  • Detect exploitation attempts by monitoring POST requests to the Livewire update URI (extracted from 'data-update-uri=' attribute) containing a 'components' JSON array with a 'snapshot' and 'updates' field — especially where 'updates' contains nested objects with class references to Illuminate\Broadcasting\BroadcastEvent, Illuminate\Broadcasting\PendingBroadcast, or Illuminate\Validation\Validator.
  • The vulnerability is exploitable only when a Livewire v3 component is mounted and exposes a property that can be updated via the hydration mechanism. Shodan fingerprinting via html:"wire:id" can identify exposed instances.
  • CVE-2025-54068 exploitation has been attributed to the Iranian state-sponsored group MuddyWater (aka Boggy Serpens). Alert on Livewire RCE exploitation patterns in conjunction with MuddyWater TTPs.
  • The exploit flow requires three sequential HTTP requests: (1) GET to harvest wire:snapshot, CSRF token, and update URI; (2) POST to the update URI to obtain a signed snapshot; (3) POST with the deserialization gadget chain payload in the updates field.
  • Confirm out-of-band RCE by detecting DNS/HTTP callbacks to interaction servers with the marker parameter '?q=' in the request path, triggered by the embedded curl command in the gadget chain.
  • ·Exploitation requires a Livewire v3 component to be mounted and configured in a particular way — not all Livewire deployments are vulnerable. The specific component property type that triggers the unsafe hydration path must be present.
  • ·This vulnerability is unique to Livewire v3 (up to and including v3.6.3) and does not affect Livewire v1 or v2.
  • ·No known workarounds are available; the only remediation is upgrading to Livewire v3.6.4 or later.
  • ·The Nuclei template is marked 'intrusive' and uses OAST (out-of-band) interaction server callbacks; it should only be run in authorized testing environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.