Published Tuesday, June 23, 2026 at 01:12 PM PT

BREAKING: CVE-2025-54068 β€” Active Laravel Livewire Exploitation Campaign; 6,000+ Applications Reportedly Compromised

BLUF: A large-scale credential theft campaign is actively exploiting CVE-2025-54068 in Laravel Livewire applications. Imperva reports 6,000+ applications compromised. Organizations running Laravel Livewire should treat this as an active incident and apply mitigations immediately.

DETAILS

  • Imperva’s Cloud WAF began detecting exploitation attempts against Laravel Livewire applications on May 24, 2026, initially flagged as deserialization attack traffic before being attributed to a coordinated credential theft operation.
  • The vulnerability is tracked as CVE-2025-54068 (note: source material also references CVE-2025-5406 β€” it is unclear whether these are the same CVE or a transcription error; treat as potentially the same until confirmed).
  • The attack vector involves deserialization abuse within the Livewire component framework, a PHP-based full-stack framework built on Laravel.
  • Imperva characterizes this as a large-scale, organized campaign β€” not opportunistic scanning β€” given the volume and consistency of exploitation patterns observed.
  • 6,000+ applications are reported as compromised. The methodology used to arrive at this figure has not been independently confirmed at time of publication.

IMPACT

  • Directly affected: Any internet-facing application built on Laravel Livewire β€” particularly those without a WAF or unpatched against this CVE.
  • Credential theft is the confirmed objective; downstream impacts may include account takeover, lateral movement, and data exfiltration depending on what credentials are exposed.
  • Scope is global; Laravel is widely deployed across industries including SaaS, e-commerce, healthcare, and financial services.
  • Organizations relying solely on perimeter defenses without application-layer controls are at elevated risk.
  1. Audit immediately β€” Identify all internal and customer-facing applications running Laravel Livewire.
  2. Apply patches β€” Check Laravel and Livewire official channels for CVE-2025-54068 patches or mitigations; apply without delay.
  3. Review WAF rules β€” Ensure deserialization attack signatures are active and up to date; Imperva Cloud WAF is confirmed blocking.
  4. Hunt for indicators β€” Review application logs for anomalous Livewire component requests, unexpected deserialization activity, or unusual authentication events from May 24, 2026 onward.
  5. Rotate credentials β€” If exploitation cannot be ruled out, treat exposed application credentials as compromised and rotate.
  6. Isolate if necessary β€” Consider taking vulnerable applications offline or behind additional access controls until patched.

UNCERTAINTY FLAGS

  • The CVE identifier discrepancy (CVE-2025-54068 vs. CVE-2025-5406) is unresolved β€” verify against NVD and Imperva’s full advisory before referencing in internal communications.
  • The 6,000+ compromise figure is sourced solely from Imperva at this time; independent corroboration is pending.
  • Full technical details of the exploit chain have not been confirmed in available source material.

SOURCES

  • Imperva Threat Research β€” CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised (May 2026)