🔴 CVE-2025-54068

Livewire v3 contains a critical remote command execution vulnerability during property update hydration that requires no authentication or user interaction. The vulnerability allows unauthenticated attackers to achieve RCE against web applications built with this Laravel framework component.

← Back to Overview
HIGH_RISK
Risk Level
9.2
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-17

Added to CISA KEV: 2026-03-20 246 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-54068 is a critical remote code execution (RCE) vulnerability affecting the Laravel Livewire framework [1]?id=CVE-2025-54068?kagi_q=CVE-2025-54068.

Vulnerability Overview
  • Affected Versions: Livewire v3 up to and including version 3.6.3 [1].
  • Impact: Successful exploitation allows unauthenticated attackers to achieve remote command execution (RCE) on the server hosting the application [1]?id=CVE-2025-54068?kagi_q=CVE-2025-54068.
  • Mitigation: The vulnerability has been patched. Users are advised to update to a secure version of Livewire [2].
Attack Method and Requirements
  • Exploitation Mechanism: The vulnerability exists within the component property update hydration mechanism [4]. Attackers can leverage this to perform insecure deserialization or "smuggle" synthesizers to execute arbitrary commands [2].
  • Requirements:
* Network vs. Local: It is a remote vulnerability, meaning it can be exploited over the network without requiring local access [1]. * Authentication: The attack is unauthenticated [1]. * Complexity: While initial reports suggested a dependency on knowing the application's `APP_KEY`, subsequent research demonstrated that the vulnerability could be exploited by smuggling synthesizers, bypassing the need for the `APP_KEY` entirely [2].
Exploitation and Threat Intelligence
  • Proof-of-Concept (PoC): Publicly available tools, such as "Livepyre," were developed to facilitate the exploitation of this vulnerability [3].
  • Active Exploitation: While the vulnerability is well-documented and has associated exploit tools, there is no widespread public reporting of it being the primary driver for major, named ransomware campaigns as of June 2026. However, due to the nature of RCE vulnerabilities in popular frameworks, it remains a high-value target for automated scanning and opportunistic exploitation by various threat actors.
  • Targeted Attacks: Given the ease of exploitation, it is highly likely to be used in targeted attacks against vulnerable Laravel applications to gain initial access, establish persistence, or exfiltrate data.

Sources

  1. CVE-2025-54068 Detail - NVD

    Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to ...

  2. Livewire: remote command execution through unmarshaling

    The discovery of CVE-2025-54068 further exposed a critical flaw: the ability to smuggle synthesizers via the updates mechanism, entirely bypassing the need for the APP_KEY. This vulnerability, now patched, forced Livewire to harden its hydration logic by preserving the original snapshot context duri…

  3. GitHub - synacktiv/Livepyre: A tool designed to exploit CVE-2025 ...

    A tool designed to exploit CVE-2025-54068 and Remote Command Execution if the APP_KEY of the Livewire project is known. - synacktiv/Livepyre.

  4. CVE-2025-54068 - GitHub Advisory Database

    Livewire is vulnerable to remote command execution during component property update hydration…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed