Laravel Livewire RCE Exploited to Steal Credentials From More Than 6,000 Apps

Attackers have exploited a critical Laravel Livewire remote code execution vulnerability to steal credentials from thousands of applications worldwide. According to a new Imperva Threat Research report, the campaign harvested secrets from 6,167 distinct applications across sectors including e-commerce, healthcare, finance, education and government.

The campaign abuses CVE-2025-54068, a Livewire v3 vulnerability that can allow unauthenticated remote command execution in specific configurations. The GitHub advisory says affected versions include Livewire 3.0.0-beta.1 through versions earlier than 3.6.4.

The flaw is especially dangerous because Laravel applications often store sensitive secrets in .env files. Once attackers gain code execution, they can search for those files and steal database passwords, application keys, cloud credentials, payment keys, OAuth secrets and SMTP passwords.

How the Livewire attack works

Imperva first observed the exploitation attempts on May 24, 2026 through its Cloud WAF. The traffic initially looked like ordinary deserialization activity, but further analysis tied it to a credential-theft operation targeting vulnerable Laravel Livewire applications.

The NVD record for CVE-2025-54068 describes the issue as a Livewire v3 flaw in how certain component property updates are hydrated. Exploitation does not require authentication or user interaction, but the vulnerable component must be mounted and configured in a way that exposes the affected path.

Attackers used PHPGGC gadget chains to build payloads that could trigger command execution through existing PHP classes in the target application. Those payloads then downloaded and executed a Bash script called shoc.enz from attacker-controlled infrastructure.

Stage	Attack action	Result
Reconnaissance	Scan for vulnerable Livewire v3 applications	Find exposed Laravel targets
Exploitation	Send crafted Livewire update requests	Trigger remote command execution
Payload delivery	Download shoc.enz from attacker infrastructure	Run credential-harvesting script
Discovery	Search the file system for .env files	Find application secrets
Exfiltration	Upload stolen data through FTP, Telegram and GoFile	Move credentials out of the victim server

Why CVE-2025-54068 is critical

Livewire is a full-stack framework for Laravel that lets developers build dynamic interfaces using PHP. The vulnerability affects Livewire v3 and does not affect earlier major versions, according to the GitHub security advisory.

The weakness sits in Livewire’s hydration process, which restores component state from browser requests. The Synacktiv advisory says the issue allows pre-authenticated remote code execution by abusing the way Livewire processes updates to component properties.

GitHub rates the vulnerability as critical with a CVSS 4.0 score of 9.2. NVD lists a CVSS 3.1 score of 9.8, with high impact to confidentiality, integrity and availability.

• The flaw affects Livewire v3 before 3.6.4.
• It can allow unauthenticated remote command execution in specific scenarios.
• No user interaction is required.
• There is no known workaround.
• The vendor fix is Livewire 3.6.4 or later.

What the attackers stole

The campaign focused on .env files because they often contain the keys needed to take over an application or its connected services. In Laravel environments, those files can include database logins, APP_KEY values, payment processor secrets, cloud keys and mail server credentials.

According to the Imperva analysis, researchers recovered data from attacker infrastructure showing 21,916 unique files, credentials from 6,167 applications, 1,851 or more full database dumps, and 18 or more email lists containing over 26 million addresses.

The exposed secrets included 14,566 real non-default database passwords, 188 live Stripe secret keys, 381 valid AWS IAM credentials, 2,929 JWT secrets, 2,409 Google OAuth client secrets, 2,232 Filament admin panel passwords and 7,176 SMTP passwords.

Exposed data type	Reported count
Distinct compromised applications	6,167
Full database dumps	1,851+
Real non-default database passwords	14,566
Live Stripe secret keys	188
Valid AWS IAM credentials	381
SMTP passwords	7,176

The campaign used simple but effective exfiltration

The credential stealer used multiple exfiltration channels instead of relying on one path. Imperva said the script uploaded stolen archives through an FTP server, Telegram API calls and GoFile cloud storage.

The same report says the attacker’s FTP server contained seven directories of stolen data, while the GoFile account contained 11,179 files totaling 309.9 MB. This redundancy made the campaign more reliable because blocking one channel would not necessarily stop all data theft.

Attribution indicators point to an Indonesian-origin threat actor, but the evidence does not prove a formal group identity. Imperva cited Indonesian-language comments in the malware source code, Asia/Jakarta timezone references and related account metadata.

Patched version and known exploitation status

Livewire fixed the vulnerability in version 3.6.4. The Livewire 3.6.4 release notes list a fix for property update hydration, matching the vulnerable area described in the advisory.

The NVD entry also notes that CISA added CVE-2025-54068 to its Known Exploited Vulnerabilities catalog on March 20, 2026, with a remediation due date of April 3, 2026 for covered U.S. federal agencies.

The timeline matters. This was not only a newly disclosed bug suddenly being tested by researchers. The vulnerability had already been publicly known and patched, but the campaign shows that many exposed applications still had not upgraded.

Why .env theft can lead to more attacks

Stealing .env files can turn one web application compromise into several separate security incidents. A database password can expose customer records. A cloud key can expose storage buckets or infrastructure. A Stripe key can support fraud. A Laravel APP_KEY can help attackers decrypt application data or forge signed values in some situations.

The attacker’s approach also shows why mass scanning remains so effective. Laravel apps often share similar folder structures, environment files and deployment patterns, so a single exploit and script can work against many targets once a vulnerable component is found.

Open-source Laravel applications appeared among the victims, including Invoice Ninja, Akaunting, Attendize, Lychee and TastyIgniter. Imperva said the targeting looked indiscriminate, with affected sites spread across many regions and industries.

What Laravel teams should do now

Developers and security teams should upgrade Livewire immediately to 3.6.4 or later. The technical disclosure confirms that versions 3.0.0-beta.1 through 3.6.3 are affected, while the 3.6.4 release contains the hydration fix.

Teams should not stop at patching. If a vulnerable app was internet-facing, administrators should assume credentials may have been exposed and rotate secrets stored in .env files, especially database passwords, APP_KEY values, cloud credentials, payment keys and mail server credentials.

Security teams should also check server logs for suspicious requests to Livewire update endpoints, outbound FTP traffic, connections to Telegram APIs, uploads to GoFile, and signs that a Bash script searched for .env files across the file system.

• Upgrade livewire/livewire to 3.6.4 or later.
• Search for vulnerable Livewire v3 packages across all environments.
• Rotate database, APP_KEY, Stripe, AWS, OAuth, JWT and SMTP secrets.
• Block outbound FTP from production web servers unless explicitly required.
• Alert on server-side connections to api.telegram.org and upload.gofile.io from Laravel hosts.
• Review database logs for unexpected dumps or large exports.
• Move long-lived secrets out of exposed server files where possible.
• Add least-privilege controls to database, cloud and payment credentials.

FAQ