A significant cyberattack campaign has been identified, targeting applications built with Laravel Livewire. Attackers are exploiting a critical remote code execution (RCE) vulnerability, designated as CVE-2025-54068, to infiltrate systems and exfiltrate sensitive credentials.
Laravel Livewire is a popular full-stack framework for Laravel, enabling developers to build dynamic interfaces with minimal JavaScript. The identified vulnerability affects Livewire versions up to 3.6.3 and arises from improper validation during the framework’s hydration process. Specifically, when the application state is restored from user input, the framework fails to verify data integrity before deserialization. This oversight allows unauthenticated attackers to inject malicious serialized PHP objects, leading to arbitrary command execution on vulnerable servers.
Security researchers first observed this malicious activity on May 24, 2026, when their Cloud Web Application Firewall detected and blocked suspicious deserialization attacks linked to the active exploitation of CVE-2025-54068. Analysis of the attack traffic revealed that attackers utilized PHPGGC gadget chains to construct payloads capable of executing remote shell commands.
Once a system is compromised, the attackers deploy a malicious Bash script named “shoc.enz.” This script is designed to locate and extract sensitive configuration data from Laravel environments. It scans the file system for .env files, which typically store critical application secrets such as database credentials, API keys, and encryption keys. The script extracts key fields, including database hostnames, usernames, passwords, and application keys, then compresses the data before exfiltrating it through multiple channels. To evade detection, the script removes traces of its activity after execution.
The exfiltration process involves a multi-channel setup, including an FTP server, the Telegram API, and the cloud storage platform GoFile. The FTP server alone contained thousands of stolen files, including over 1,850 full database dumps. In total, credentials from 6,167 unique applications were recovered, spanning sectors such as e-commerce, healthcare, finance, education, and government. Among the stolen data were more than 14,000 valid database passwords, 188 live Stripe payment keys, 381 AWS credentials, and thousands of OAuth secrets and SMTP credentials. Many of these belonged to production environments, significantly increasing the risk of follow-on attacks such as financial fraud, data theft, and account takeover.
Indicators suggest that the campaign is linked to a threat actor originating from Indonesia. Evidence includes Indonesian-language comments embedded in the malware, infrastructure associated with the Asia/Jakarta timezone, and connections to a Telegram account linked to the operation. The domain hosting the malicious payload masqueraded as a legitimate anti-bot service, further aiding in the deception.
Given the severity of this vulnerability and the scale of the ongoing exploitation, it is imperative for organizations using Laravel Livewire to take immediate action. Developers should upgrade to the latest patched version of Livewire to mitigate the risk. Additionally, reviewing and securing environment files, implementing strict access controls, and monitoring for unusual activity are crucial steps in protecting applications from such sophisticated attacks.
This incident underscores the critical importance of timely software updates and vigilant security practices. As attackers continue to exploit known vulnerabilities, organizations must prioritize proactive measures to safeguard their systems and sensitive data.
