CVE-2025-54068

CRITICAL KEV NUCLEI

Livewire 3.0.0-3.6.3 - Unauthenticated Remote Code Execution via Component Property Hydration

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-54068 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 20, 2026. EIP tracks 6 public exploits from researchers including synacktiv, haxorstars, z0d131482700x. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit tool for CVE-2025-54068, targeting Livewire versions below 3.6.4. The exploit leverages Laravel's encryption mechanisms to achieve remote command execution (RCE) either with or without the APP_KEY.

Description

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

Exploits (6)

nomisec WORKING POC 117 stars
by synacktiv · remote
https://github.com/synacktiv/Livepyre

This repository contains a functional exploit tool for CVE-2025-54068, targeting Livewire versions below 3.6.4. The exploit leverages Laravel's encryption mechanisms to achieve remote command execution (RCE) either with or without the APP_KEY.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Livewire (versions < 3.6.4)
No auth needed
Prerequisites: Target running vulnerable Livewire version · APP_KEY (optional for enhanced exploit reliability)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 3 stars
by haxorstars · remote
https://github.com/haxorstars/CVE-2025-54068

This repository contains a functional exploit for CVE-2025-54068, targeting Laravel Livewire applications with known APP_KEYs to achieve remote command execution. The tool includes multiple exploit scripts, payload generation, and mass scanning capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Laravel Livewire (versions < 3.6.4)
No auth needed
Prerequisites: Known APP_KEY of the target Livewire application · Vulnerable Livewire version (< 3.6.4)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 3 stars
by z0d131482700x · poc
https://github.com/z0d131482700x/Livewire2025CVE

This repository contains a Python-based scanner for detecting CVE-2025-54068 in Laravel applications using Livewire v3.0.0-beta.1 through v3.6.3. It checks for vulnerable Livewire endpoints, version patterns, and HTML fingerprints but does not include exploit code.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Laravel Livewire v3.0.0-beta.1 through v3.6.3
No auth needed
Prerequisites: List of target URLs
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by flame-11 · remote-auth
https://github.com/flame-11/CVE-2025-54068-livewire

This repository provides a functional exploit PoC for CVE-2025-54068, targeting Livewire v3.6.3. It includes a Dockerized Laravel environment with a vulnerable Livewire component and a Python script that demonstrates the exploit chain via a two-step request sequence.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Livewire v3.6.3
No auth needed
Prerequisites: Docker · Python 3 · Target running Livewire v3.6.3
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by zycoder0day · remote
https://github.com/zycoder0day/CVE-2025-54068

This repository contains a functional exploit for CVE-2025-54068, targeting Laravel applications with Livewire versions listed in the code. The exploit leverages deserialization vulnerabilities using multiple gadget chains to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Laravel with Livewire (versions v3.0.0 to v3.7.3)
No auth needed
Prerequisites: Access to a vulnerable Laravel application with Livewire · Ability to send crafted HTTP requests to the target
devstral-2 · analyzed May 12, 2026 Full analysis →
nomisec WORKING POC
by HelgeSverre · poc
https://github.com/HelgeSverre/livewire-honeypot

This repository contains a functional honeypot designed to capture and analyze exploit attempts targeting CVE-2025-54068, a Livewire prop hydration RCE vulnerability. It includes a FastAPI-based web server, ASGI middleware for request logging, and a sandboxed Docker environment for payload analysis.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Livewire 3.0.0-beta.1 through 3.6.3
No auth needed
Prerequisites: Python 3.11+ · Docker · uv
devstral-2 · analyzed Apr 12, 2026 Full analysis →

Nuclei Templates (1)

Laravel Livewire v3 - Remote Command Execution
CRITICALVERIFIEDby flame-11
Shodan: html:"wire:id"

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.5888
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2026-03-20
VulnCheck KEV 2026-02-17
ENISA EUVD EUVD-2025-21792
CWE
CWE-94
Status published
Products (3)
laravel/livewire 3.0.0 - 3.6.4
livewire/livewire 3.0.0-beta.1 - 3.6.4Packagist
livewire/livewire >= 3.0.0-beta.1, < 3.6.4
Published Jul 17, 2025
KEV Added Mar 20, 2026
Tracked Since Feb 18, 2026