Full Report
A large-scale credential theft campaign exploiting CVE-2025-54068, a critical unauthenticated remote code execution vulnerability in Laravel Livewire v3. Attackers used PHP deserialization to execute a Bash-based credential stealer that harvested sensitive application secrets ...
Analysis Summary
# Vulnerability: Unauthenticated RCE in Laravel Livewire (CVE-2025-54068)
## CVE Details
- **CVE ID:** CVE-2025-54068
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Laravel Livewire
- **Versions:** Livewire v3 (specific sub-versions prior to the patch)
- **Configurations:** Applications running Livewire v3 where the application key is compromised or default settings allow for the manipulation of serialized components.
## Vulnerability Description
CVE-2025-54068 is a critical PHP deserialization vulnerability. It allows an unauthenticated remote attacker to execute arbitrary code by sending a specially crafted request to the Livewire endpoint. The flaw exists in how Livewire handles the hydration of components; if an attacker can provide a malicious serialized payload, the application deserializes it, leading to Remote Code Execution (RCE).
## Exploitation
- **Status:** Exploited in the wild (Large-scale campaign detected).
- **Complexity:** Low
- **Attack Vector:** Network (External/Remote)
## Impact
- **Confidentiality:** High (Full access to environment variables, `.env` files, and database contents).
- **Integrity:** High (Ability to modify application code, data, and system files).
- **Availability:** High (Potential for full system takeover or deletion of data).
## Impact Analysis (Campaign Specifics)
The exploitation of this vulnerability in the reported campaign resulted in:
- Theft of credentials from **6,167** applications.
- Exposure of production database credentials, cloud provider keys, and API secrets.
- Exfiltration of over **1,850** full database dumps.
## Remediation
### Patches
- **Update Livewire:** Vulnerable users should immediately update to the latest stable version of Livewire v3 that includes the security fix for CVE-2025-54068.
### Workarounds
- **Rotate APP_KEY:** Since many PHP deserialization attacks rely on a known or leaked `APP_KEY` to sign/verify payloads, rotating the Laravel `APP_KEY` is a critical step if a compromise is suspected.
- **WAF Rules:** Implement Web Application Firewall rules to block suspicious POST requests to the `/livewire/message/*` endpoints that contain serialized PHP objects.
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of Bash-based scripts designed to parse `.env` files and exfiltrate data to remote C2 servers.
- Unusual outbound traffic to unknown IP addresses (potentially linked to Indonesian-origin threat actors).
- Logs showing unexpected 500 errors or deserialization exceptions at the `/livewire/` endpoint.
- **Detection Methods:**
- Scan filesystems for unauthorized scripts or modifications to the `public/` directory.
- Audit Laravel logs for "unserialization" errors or signature verification failures.
## References
- **Vendor Advisory:** hxxps[://]github[.]com/livewire/livewire/security/advisories
- **Incident Report:** hxxps[://]threats[.]wiz[.]io/all-incidents/cve-2025-54068-exploited-in-large-scale-laravel-livewire-credential-theft-campaign
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2025-54068