CVE-2025-54068
Published: 17 July 2025
Summary
CVE-2025-54068 is a critical-severity Code Injection (CWE-94) vulnerability in Laravel Livewire. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly mitigating this RCE vulnerability by mandating upgrade to the patched Livewire v3.6.4.
SI-10 enforces information input validation, addressing the improper hydration of component property updates that enables code injection in this CVE.
RA-5 mandates vulnerability scanning and monitoring, enabling identification of systems running vulnerable Livewire v3 versions affected by this RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE in public-facing Livewire/Laravel web component enables remote exploitation of internet-facing application for arbitrary command execution.
NVD Description
Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This…
more
vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.
Deeper analysisAI
CVE-2025-54068 is a critical vulnerability in Livewire, a full-stack framework for Laravel, affecting versions v3 up to and including v3.6.3. It enables remote command execution due to improper handling of certain component property updates during hydration. This flaw is specific to Livewire v3 and does not impact earlier major versions.
Unauthenticated attackers can exploit the vulnerability remotely if a component is mounted and configured in a particular way, with no need for authentication or user interaction. Successful exploitation allows arbitrary command execution on the server, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CWE-94 (Code Injection).
The vulnerability has been addressed in Livewire v3.6.4, and all users are urged to upgrade immediately, with no known workarounds available. Patch details are provided in the GitHub commit ef04be759da41b14d2d129e670533180a44987dc, release notes for v3.6.4, and security advisory GHSA-29cq-5w36-x7w3.
This CVE appears in the CISA Known Exploited Vulnerabilities Catalog and is referenced in a ThreatHunter.ai blog post detailing tools, techniques, IOCs, and IOAs associated with Iranian threat actors.
Details
- CWE(s)
- KEV Date Added
- 20 March 2026