Cyber Resilience

CVE-2025-54068

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 17 July 2025

Published
17 July 2025
Modified
20 March 2026
KEV Added
20 March 2026
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.5888 98.3th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54068 is a critical-severity Code Injection (CWE-94) vulnerability in Laravel Livewire. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

Livewire, a full-stack framework for Laravel, contains a code injection vulnerability in version 3 up to and including 3.6.3. The flaw arises during hydration of certain component property updates and enables remote command execution when a component is mounted and configured in a specific manner. The issue is restricted to the v3 branch and does not affect earlier major versions.

Unauthenticated attackers can exploit the weakness over the network without user interaction. Successful exploitation grants full remote command execution on the affected server, provided the target component meets the required configuration conditions.

The vulnerability is addressed in Livewire 3.6.4; the project’s advisory and release notes state there are no known workarounds and urge immediate upgrade. The CVE is also listed in the CISA Known Exploited Vulnerabilities catalog.

Public references further associate the flaw with tooling and indicators linked to an Iranian threat actor, and the EPSS score has reached a peak of 0.6406, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This…

more

vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

CWE(s)
KEV Date Added
20 March 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE in public-facing Livewire/Laravel web component enables remote exploitation of internet-facing application for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23209Shared CWE-94both on KEV
CVE-2026-1281Shared CWE-94both on KEV
CVE-2026-1340Shared CWE-94both on KEV
CVE-2025-6204Shared CWE-94both on KEV
CVE-2025-37164Shared CWE-94both on KEV
CVE-2025-49704Shared CWE-94both on KEV
CVE-2026-20045Shared CWE-94both on KEV
CVE-2026-39976Same vendor: Laravel
CVE-2025-27515Same vendor: Laravel
CVE-2026-23524Same vendor: Laravel

Affected Assets

laravel
livewire
3.0.0 — 3.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly mitigating this RCE vulnerability by mandating upgrade to the patched Livewire v3.6.4.

prevent

SI-10 enforces information input validation, addressing the improper hydration of component property updates that enables code injection in this CVE.

detect

RA-5 mandates vulnerability scanning and monitoring, enabling identification of systems running vulnerable Livewire v3 versions affected by this RCE.

References