Changeflow GovPing Data Privacy & Cybersecurity Livewire v3.6.3 Remote Command Execution Vulner...
Urgent Notice Amended Final

Livewire v3.6.3 Remote Command Execution Vulnerability Patched

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Detected March 20th, 2026
Email

Summary

CISA has issued a notice regarding a critical remote command execution vulnerability (CVE-2025-54068) in Livewire v3 up to v3.6.3. The vulnerability, which affects specific configurations and does not require authentication, has been patched in version 3.6.4.

View original document View source feed page

What changed

CISA is alerting users to a critical vulnerability (CVE-2025-54068) affecting Livewire, a full-stack framework for Laravel. Versions of Livewire v3 up to and including v3.6.3 are susceptible to unauthenticated remote command execution due to improper handling of component property updates. The vulnerability has a CVSS score of 9.2 and is categorized as CRITICAL. The issue has been patched in Livewire v3.6.4.

Affected entities, primarily technology companies utilizing Livewire v3, are strongly urged to upgrade to version 3.6.4 or later immediately, as no workarounds are available. Failure to update could expose systems to exploitation, leading to code injection and potential system compromise. The CISA Known Exploited Vulnerabilities (KEV) catalog also lists this vulnerability, indicating active exploitation or high confidence in exploitation potential.

What to do next

  1. Upgrade Livewire to version 3.6.4 or later
  2. Review component configurations for potential exploitation scenarios

Source document (simplified)

Required CVE Record Information

CNA: GitHub (maintainer security advisories)

Description

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

CWE 1 Total

Learn more
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 9.2 | CRITICAL | 4.0 | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |

Product Status

Learn more Versions 1 Total

Default Status: unknown

affected

  • affected at >= 3.0.0-beta.1, < 3.6.4

References 3 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-20

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| none | no | total | 2.0.3 | 2025-07-17 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54068 (2026-03-20)

Related changes

Favicon for www.cisa.gov Apple Products Memory Corruption Vulnerability
Priority review Mar 20, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Craft CMS Remote Code Execution Vulnerability Fixed
Priority review Mar 20, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA: Apple Products Memory Corruption Vulnerability Addressed
Priority review Mar 20, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.nist.gov NIST 5G Cybersecurity and Privacy Capabilities White Paper Series Introduction
Routine Mar 21, 2026 NIST Publications Data Privacy & Cybersecurity
Favicon for www.nist.gov NIST White Paper on 5G SUCI Encryption for Subscriber Identifier Protection
Routine Mar 21, 2026 NIST Publications Data Privacy & Cybersecurity
Favicon for www.nist.gov NIST SP 800-81r3 Secure DNS Deployment Guide
Routine Mar 21, 2026 NIST Publications Data Privacy & Cybersecurity

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CVE-2025-54068

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Software Development Vulnerability Management
Threshold
Livewire v3.0.0-beta.1 up to v3.6.3
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Software Security Vulnerability Management

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 221 Consumer Protection 39 Courts & Legal 285 Data Privacy & Cybersecurity 61 Defense & National Security 48 Education 20 Energy 102 Environment 85 Government & Legislation 257 Healthcare 116 Housing 15 Immigration 9 Insurance 58 Labor & Employment 111 Pharma & Drug Safety 78 Securities & Markets 75 Tax 62 Telecom & Technology 34 Trade & Sanctions 124 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Free. Unsubscribe anytime.