CVE-2025-54068 CrowdStrike LogScale · LogScale

Detect Laravel Livewire Code Injection (CVE-2025-54068) in CrowdStrike LogScale

Detects exploitation of CVE-2025-54068, a code injection vulnerability in Laravel Livewire. This KEV-listed vulnerability allows attackers to inject and execute arbitrary PHP code through Livewire component handling, potentially leading to remote code execution on affected Laravel applications.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
event_simpleName IN ("ProcessRollup2", "NetworkConnectIP4", "DnsRequest") AND
(
  (
    event_simpleName = "NetworkConnectIP4" AND
    (HttpPath = "*/livewire/message*" OR HttpPath = "*/livewire/upload-file*") AND
    HttpMethod = "POST"
  ) OR
  (
    event_simpleName = "ProcessRollup2" AND
    ParentBaseFileName IN ("php", "php-fpm", "php8.0", "php8.1", "php8.2", "php8.3") AND
    FileName IN ("bash", "sh", "curl", "wget", "python", "python3", "perl") AND
    CommandLine != ""
  )
)
| eval risk=if(match(CommandLine, "(eval|system|exec|shell_exec|base64_decode|passthru)"), "HIGH", "MEDIUM")
| where risk = "HIGH"
| table _time, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, HttpPath, RemoteAddressIP4
| sort -_time
critical severity high confidence

CrowdStrike CQL query correlating Livewire HTTP endpoint activity with suspicious child process spawning from PHP processes, indicating CVE-2025-54068 RCE exploitation.

Data Sources

CrowdStrike Falcon EDRCrowdStrike Network Containment

Required Tables

ProcessRollup2NetworkConnectIP4DnsRequest

False Positives & Tuning

  • PHP-FPM legitimately spawning helper scripts for scheduled tasks
  • Composer or Artisan CLI tools invoked during deployment pipelines
  • Laravel queue workers executing jobs that invoke shell commands

Other platforms for CVE-2025-54068

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2025-54068 Basic eval() Injection via Livewire Message Endpoint

    Expected signal: HTTP POST to /livewire/message with base64-encoded payload containing system() call; PHP process may log eval() warning; web server logs capture anomalous request body.

  2. Test 2CVE-2025-54068 Shell Command Execution via Livewire Injection

    Expected signal: Process creation event: php or php-fpm spawning /bin/sh with argument 'id > /tmp/pwned'; file creation event at /tmp/pwned; web server access log entry for the crafted POST.

  3. Test 3CVE-2025-54068 Webshell Deployment Simulation

    Expected signal: File creation event for shell.php in public/ directory initiated by php-fpm or web server process; subsequent HTTP GET requests to /shell.php with command parameters.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-54068 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1505.003Web Shell

Same Tactic: Initial Access

Popular Detections