CVE-2025-54068
Published: 17 July 2025
Summary
CVE-2025-54068 is a critical-severity Code Injection (CWE-94) vulnerability in Laravel Livewire. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
Livewire, a full-stack framework for Laravel, contains a code injection vulnerability in version 3 up to and including 3.6.3. The flaw arises during hydration of certain component property updates and enables remote command execution when a component is mounted and configured in a specific manner. The issue is restricted to the v3 branch and does not affect earlier major versions.
Unauthenticated attackers can exploit the weakness over the network without user interaction. Successful exploitation grants full remote command execution on the affected server, provided the target component meets the required configuration conditions.
The vulnerability is addressed in Livewire 3.6.4; the project’s advisory and release notes state there are no known workarounds and urge immediate upgrade. The CVE is also listed in the CISA Known Exploited Vulnerabilities catalog.
Public references further associate the flaw with tooling and indicators linked to an Iranian threat actor, and the EPSS score has reached a peak of 0.6406, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21792
Vulnerability details
Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This…
more
vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.
- CWE(s)
- KEV Date Added
- 20 March 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE in public-facing Livewire/Laravel web component enables remote exploitation of internet-facing application for arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly mitigating this RCE vulnerability by mandating upgrade to the patched Livewire v3.6.4.
SI-10 enforces information input validation, addressing the improper hydration of component property updates that enables code injection in this CVE.
RA-5 mandates vulnerability scanning and monitoring, enabling identification of systems running vulnerable Livewire v3 versions affected by this RCE.