Detect Laravel Livewire Code Injection (CVE-2025-54068) in Splunk
Detects exploitation of CVE-2025-54068, a code injection vulnerability in Laravel Livewire. This KEV-listed vulnerability allows attackers to inject and execute arbitrary PHP code through Livewire component handling, potentially leading to remote code execution on affected Laravel applications.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
SPL Detection Query
index=web OR index=app sourcetype IN ("access_combined", "php_error", "laravel", "nginx_access", "apache_access")
| where (uri_path="*/livewire/message*" OR uri_path="*/livewire/upload-file*")
| eval request_body=coalesce(request_body, _raw)
| eval suspicious_functions=if(match(request_body, "(eval\(|base64_decode\(|system\(|exec\(|shell_exec\(|passthru\(|proc_open\(|popen\()"), 1, 0)
| eval php_injection=if(match(request_body, "(\\$_GET|\\$_POST|\\$_REQUEST|\\$_SERVER|__class__|__construct)") AND match(request_body, "(eval|assert|create_function)"), 1, 0)
| where suspicious_functions=1 OR php_injection=1
| eval status_code=coalesce(status, sc_status)
| stats count min(_time) as first_seen max(_time) as last_seen values(src_ip) as source_ips values(uri_path) as endpoints by host, status_code
| where count > 0
| sort -last_seenDetects Laravel Livewire endpoint requests containing PHP code injection patterns associated with CVE-2025-54068 exploitation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate Livewire AJAX calls with complex serialized component state
- Automated vulnerability scanners testing web application endpoints
- Load testing tools sending large POST payloads to Livewire routes
Other platforms for CVE-2025-54068
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-54068 Basic eval() Injection via Livewire Message Endpoint
Expected signal: HTTP POST to /livewire/message with base64-encoded payload containing system() call; PHP process may log eval() warning; web server logs capture anomalous request body.
- Test 2CVE-2025-54068 Shell Command Execution via Livewire Injection
Expected signal: Process creation event: php or php-fpm spawning /bin/sh with argument 'id > /tmp/pwned'; file creation event at /tmp/pwned; web server access log entry for the crafted POST.
- Test 3CVE-2025-54068 Webshell Deployment Simulation
Expected signal: File creation event for shell.php in public/ directory initiated by php-fpm or web server process; subsequent HTTP GET requests to /shell.php with command parameters.
Unlock Pro Content
Get the full detection package for CVE-2025-54068 including response playbook, investigation guide, and atomic red team tests.