CVE-2025-54068
published 2025-07-17CVE-2025-54068: Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-04-03
Exploited in the wild
EPSS
95.38%
99.9th percentile
Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| laravel | livewire | >= 3.0.0 < 3.6.4 | 3.6.4 |
| livewire | livewire | — | — |
| livewire | livewire | >= 3.0.0-beta.1 < 3.6.4 | 3.6.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Identify Livewire-enabled pages by checking for the presence of 'wire:snapshot=', 'data-update-uri=', and 'data-csrf=' or 'csrf-token' in HTTP response bodies — these are prerequisites for exploitation.
- →Detect exploitation attempts by monitoring POST requests to the Livewire update URI (extracted from 'data-update-uri=' attribute) containing a 'components' JSON array with a 'snapshot' and 'updates' field — especially where 'updates' contains nested objects with class references to Illuminate\Broadcasting\BroadcastEvent, Illuminate\Broadcasting\PendingBroadcast, or Illuminate\Validation\Validator.
- →The vulnerability is exploitable only when a Livewire v3 component is mounted and exposes a property that can be updated via the hydration mechanism. Shodan fingerprinting via html:"wire:id" can identify exposed instances.
- →CVE-2025-54068 exploitation has been attributed to the Iranian state-sponsored group MuddyWater (aka Boggy Serpens). Alert on Livewire RCE exploitation patterns in conjunction with MuddyWater TTPs. ↗
- →The exploit flow requires three sequential HTTP requests: (1) GET to harvest wire:snapshot, CSRF token, and update URI; (2) POST to the update URI to obtain a signed snapshot; (3) POST with the deserialization gadget chain payload in the updates field.
- →Confirm out-of-band RCE by detecting DNS/HTTP callbacks to interaction servers with the marker parameter '?q=' in the request path, triggered by the embedded curl command in the gadget chain.
- ·Exploitation requires a Livewire v3 component to be mounted and configured in a particular way — not all Livewire deployments are vulnerable. The specific component property type that triggers the unsafe hydration path must be present. ↗
- ·This vulnerability is unique to Livewire v3 (up to and including v3.6.3) and does not affect Livewire v1 or v2. ↗
- ·No known workarounds are available; the only remediation is upgrading to Livewire v3.6.4 or later. ↗
- ·The Nuclei template is marked 'intrusive' and uses OAST (out-of-band) interaction server callbacks; it should only be run in authorized testing environments.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Livewire is vulnerable to remote command execution during component property update hydration
osv·2025-07-17
CVE-2025-54068 [CRITICAL] Livewire is vulnerable to remote command execution during component property update hydration
Livewire is vulnerable to remote command execution during component property update hydration
### Impact
In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction.
### Patches
This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible.
### Workarounds
There is no known workaround at this time. Users are strongly advised to upgrade to a patc
GHSA
Livewire is vulnerable to remote command execution during component property update hydration
ghsa·2025-07-17
CVE-2025-54068 [CRITICAL] CWE-94 Livewire is vulnerable to remote command execution during component property update hydration
Livewire is vulnerable to remote command execution during component property update hydration
### Impact
In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction.
### Patches
This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible.
### Workarounds
There is no known workaround at this time. Users are strongly advised to upgrade to a patc
VulnCheck
Laravel Livewire Code Injection Vulnerability
vulncheck·2025·CVSS 9.2
CVE-2025-54068 [CRITICAL] CWE-94 Laravel Livewire Code Injection Vulnerability
Laravel Livewire Code Injection Vulnerability
Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.
Affected: Laravel Livewire
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-54068&date=2026-02-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-54068&date=2026-02-18; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-54068&date=2026-02-19; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-54068&date=2026-02-2
CISA
Laravel Livewire Code Injection Vulnerability
cisa·2026-03-20·CVSS 9.2
CVE-2025-54068 [CRITICAL] CWE-94 Laravel Livewire Code Injection Vulnerability
Vulnerability: Laravel Livewire Code Injection Vulnerability
Affected: Laravel Livewire
Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3 ; https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc ; https://nvd.nist.gov/vuln/detail/CVE-2025-54068
Remediation Due Date: 2026-04-03
No detection rules found.
Nuclei
Laravel Livewire v3 - Remote Command Execution
nuclei·CVSS 9.2
CVE-2025-54068 [CRITICAL] Laravel Livewire v3 - Remote Command Execution
Laravel Livewire v3 - Remote Command Execution
Livewire v3 (Laravel) contains a vulnerability in its component hydration/update mechanism that can be exploited to reach remote command execution (RCE) without authentication under certain conditions.
Template:
id: CVE-2025-54068
info:
name: Laravel Livewire v3 - Remote Command Execution
author: flame-11
severity: critical
description: |
Livewire v3 (Laravel) contains a vulnerability in its component hydration/update mechanism that can be exploited to reach remote command execution (RCE) without authentication under certain conditions.
impact: |
An unauthenticated attacker may execute arbitrary commands in the web server context.
remediation: |
Upgrade livewire/livewire to a patched version (>= 3.6.4).
reference:
- https://github.com/live
Hackernews
CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026
blogs_hackernews·2026-03-21·CVSS 8.8
[HIGH] CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities ( KEV ) catalog, urging federal agencies to patch them by April 3, 2026.
The vulnerabilities that have come under exploitation are listed below -
CVE-2025-31277 (CVSS score: 8.8) - A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content. (Fixed in July 2025)
CVE-2025-43510 (CVSS score: 7.8) - A
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dchttps://github.com/livewire/livewire/releases/tag/v3.6.4https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54068https://www.threathunter.ai/blog/iranian-threat-actor-tools-techniques-iocs-ioas/
2025-07-17
Published
2026-03-20
Added to CISA KEV
Exploited in the wild