[Breaking] Critical RCE in Laravel Livewire Exploited by Iranian State Hackers
CVSS 9.8 Laravel Livewire vulnerability (CVE-2025-54068) actively exploited by Iranian state-sponsored APT MuddyWater. No authentication required for full server takeover. CISA deadline: April 3.
News
kkm
Backend Engineer / AWS / Django
CVSS 9.8 Laravel Livewire vulnerability (CVE-2025-54068) actively exploited by Iranian state-sponsored APT MuddyWater. No authentication required for full server takeover. CISA deadline: April 3.
A vulnerability patched in July 2025 is now being exploited by Iranian state-sponsored hackers — eight months later. CVE-2025-54068. CVSS 9.8. No authentication required. Full server takeover possible.
The target is Laravel Livewire v3. Packagist downloads exceed 75 million, with over 130,000 publicly exposed instances. If your Laravel application uses Livewire v3, read this article before opening Composer.
What Happened to Laravel Livewire
On July 17, 2025, French security firm Synacktiv discovered a critical vulnerability in Laravel Livewire v3.
| Item | Details |
|---|---|
| CVE | CVE-2025-54068 |
| CVSS | 9.8 / 10.0 (Critical) |
| Type | Remote Code Execution (RCE) |
| Authentication | Not required (exploitable by anyone) |
| Affected Versions | v3.0.0-beta.1 through v3.6.3 (v1/v2 not affected) |
| Fixed Version | v3.6.4 (released July 2025) |
| CISA Remediation Deadline | April 3, 2026 |
The issue is the timing. The patch was released in July 2025. CISA added it to the KEV catalog on March 20, 2026. During that eight-month gap, the Iranian state-sponsored hacker group MuddyWater began actively exploiting it.
How This Vulnerability Works
Livewire v3 uses a mechanism called "hydration" to synchronize component state between the browser and server. Each time a user clicks a button, the component state is sent to the server as JSON, processed, and returned. The flaw was in the validation of a PHP object called a "synthesizer" that runs on every round-trip.
The attack works in two stages.
First, Livewire requests include an updates field. Normally the server validates a checksum of the entire request, but by embedding "hidden synthesizer metadata" inside a nested array within updates, an attacker causes a synthesizer to be redefined and executed at a deep level of recursive processing. Since the checksum only inspects the top level, the nested content slips through.
Second, the bypassed synthesizer uses CollectionSynth to instantiate arbitrary PHP classes. From there, a "gadget chain" combining the __toString() method of GuzzleHttp\Psr7\FnStream with array_map from League\Flysystem is triggered, ultimately executing arbitrary commands on the server.
What makes this particularly dangerous is that while typical attacks produce HTTP 500 errors and get detected, Synacktiv's researchers confirmed a technique that exits cleanly via Laravel\Prompts\Terminal::exit(). Attacks can be carried out without leaving traces in the logs.
Why Filament Login Pages Are Especially at Risk
Filament is a Laravel admin panel framework built on top of Livewire. The problem is that Filament's login panel has a public $form property with "weak typing."
Because this property has no type declaration, it accepts arbitrary objects injected by an attacker. This means the attack can succeed simply by accessing the login page. The login screen itself becomes the entry point — before any authentication takes place.
Filament is widely used as an admin panel framework, and based on Packagist download counts, approximately 18 million installations may be affected.
Who Is MuddyWater
MuddyWater (also known as Seedworm and Mango Sandstorm) is a state-sponsored hacker group believed to operate as a subordinate organization of Iran's Ministry of Intelligence and Security (MOIS). Active since 2017, the group has targeted government agencies, telecommunications, defense, energy, and financial sectors across the Middle East, Asia, Europe, and North America.
Their 2026 campaign began in early February but escalated significantly following the U.S.-Israeli military strike on Iran on February 28. Confirmed targets include U.S. banks, airports, and Israeli offices of software companies.
New malware has also been identified. A backdoor called "Dindoor" running on the Deno runtime, and a Python-based tool called "Fakeset." Certificates with fake names — Amy Cherne and Donald Gay — were used for signing, and Backblaze B2 cloud storage was used for data exfiltration.
CISA explicitly noted in its KEV catalog addition document that CVE-2025-54068 is "associated with MuddyWater attack activity."
Why Eight Months Passed Without Patching
The fixed version v3.6.4 was released in July 2025. Eight months later, in March 2026, many instances remained in a vulnerable state. This is not a case of "the patch not being released" — it is a case of "the patch not being applied."
In the PHP ecosystem, and Laravel projects in particular, it is not uncommon to avoid running composer update frequently. A "don't touch what's working" culture means that even security patches are often left unapplied out of fear of compatibility issues.
Moreover, despite a CVSS score of 9.8, this vulnerability generated little attention when it was disclosed in July 2025. It was only after CISA added it to the KEV catalog that the message "this needs immediate action" spread widely. With a PoC scanner published on GitHub, the barrier to exploitation is extremely low.
Is Your Application Affected
If all of the following conditions apply, your application is affected.
Conditions for being affected
- 1. Running Livewire v3.0.0-beta.1 through v3.6.3
- 2. Server is publicly accessible on the internet
- 3. Livewire components are mounted and active
Even if you are not using Livewire directly, you may be using it indirectly through Filament, Laravel Pulse, or other Livewire-dependent packages. The number of dependent packages reaches 1,983.
Verification is straightforward.
# Check version
composer show livewire/livewire
# Vulnerability scan
composer auditIf the output of composer show shows v3.6.3 or below, you are affected. v1.x and v2.x are not in scope.
What to Do Right Now
The fix is a single command: composer update livewire/livewire. There is no workaround. No mitigation exists other than upgrading — you must update the version.
# Update to the fixed version
composer update livewire/livewire
# Verify after updating (must be v3.6.4 or above)
composer show livewire/livewire
# Full scan including other vulnerabilities
composer auditAfter updating, also check the versions of Filament and other Livewire-dependent packages. If you are using Filament, run composer update filament/filament as well and verify it references Livewire v3.6.4 or above.
Note that environments where APP_KEY has been leaked have a separate attack vector (a variant) that is not fixed in v3.6.4. Livewire considers APP_KEY exposure to be outside its security scope as it is "the application's security boundary." Be sure to manage your APP_KEY carefully.
What Happens Next
The CISA remediation deadline is April 3, 2026. While this is a legally binding deadline for Federal Civilian Executive Branch (FCEB) agencies, it also creates de facto remediation pressure for private organizations. Having a vulnerability that CISA explicitly named left unpatched is difficult to justify if an incident occurs.
With a PoC scanner published on GitHub, it is only a matter of time before attackers beyond MuddyWater begin using it. The fix has existed for eight months. All that remains is applying it.
References
- • Synacktiv: Livewire Remote Command Execution Through Unmarshaling
- • NVD: CVE-2025-54068
- • GitHub Advisory: GHSA-29cq-5w36-x7w3
- • MITRE ATT&CK;: MuddyWater (G0069)
- • The Hacker News: Iran-Linked MuddyWater Hackers Target US
- • Security Affairs: CISA Adds Laravel Livewire to KEV
- • Security Online: Critical Livewire RCE Threatens Millions
- • Laravel News: Livewire Security Vulnerability
- • Packagist: livewire/livewire
- • BuiltWith: Laravel Livewire Usage Statistics