CVE-2025-54068

Laravel Livewire Code Injection (CVE-2025-54068)

Initial Access Execution Persistence Last updated:

Detects exploitation of CVE-2025-54068, a code injection vulnerability in Laravel Livewire. This KEV-listed vulnerability allows attackers to inject and execute arbitrary PHP code through Livewire component handling, potentially leading to remote code execution on affected Laravel applications.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Laravel
Product
Livewire

Weakness (CWE)

CWE-94

Timeline

Disclosed
March 20, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2025-54068 Laravel Livewire Code Injection (CVE-2025-54068)?

Laravel Livewire Code Injection (CVE-2025-54068) (CVE-2025-54068) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Laravel Livewire Code Injection (CVE-2025-54068), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Monitor, Microsoft Sentinel. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, DeviceProcessEvents, DeviceFileEvents
| where TimeGenerated > ago(24h)
| where (ActionType in ("HttpRequestReceived", "NetworkConnectionFound") and (RemoteUrl contains "/livewire/message" or RemoteUrl contains "/livewire/upload-file")) or (FileName endswith ".php" and FolderPath contains "livewire" and InitiatingProcessCommandLine contains "eval(")
| extend SuspiciousPayload = extract(@"(eval\(|base64_decode\(|system\(|exec\(|shell_exec\(|passthru\()", 0, tostring(AdditionalFields))
| where isnotempty(SuspiciousPayload) or (ActionType == "HttpRequestReceived" and toint(ResponseCode) between (200 .. 299) and (RequestBody contains "eval(" or RequestBody contains "base64_decode(" or RequestBody contains "__construct" or RequestBody contains "$this->" and RequestBody contains "system("))
| project TimeGenerated, DeviceName, ActionType, RemoteUrl, RemoteIP, InitiatingProcessAccountName, SuspiciousPayload, AdditionalFields
| order by TimeGenerated desc

Detects HTTP requests to Laravel Livewire endpoints containing code injection payloads and suspicious PHP function calls indicative of CVE-2025-54068 exploitation.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Azure Monitor Microsoft Sentinel

Required Tables

DeviceNetworkEvents DeviceProcessEvents DeviceFileEvents

False Positives

  • Legitimate Livewire component updates containing complex PHP object serialization
  • Security scanners or penetration testing tools probing Livewire endpoints
  • Development environments with debug-mode Livewire payloads

Sigma rule & cross-platform mapping

The detection logic for Laravel Livewire Code Injection (CVE-2025-54068) (CVE-2025-54068) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-54068 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-54068

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2025-54068 Basic eval() Injection via Livewire Message Endpoint

    Expected signal: HTTP POST to /livewire/message with base64-encoded payload containing system() call; PHP process may log eval() warning; web server logs capture anomalous request body.

  2. Test 2CVE-2025-54068 Shell Command Execution via Livewire Injection

    Expected signal: Process creation event: php or php-fpm spawning /bin/sh with argument 'id > /tmp/pwned'; file creation event at /tmp/pwned; web server access log entry for the crafted POST.

  3. Test 3CVE-2025-54068 Webshell Deployment Simulation

    Expected signal: File creation event for shell.php in public/ directory initiated by php-fpm or web server process; subsequent HTTP GET requests to /shell.php with command parameters.

Unlock Pro Content

Get the full detection package for CVE-2025-54068 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1505.003Web Shell

Same Tactic: Initial Access

Popular Detections