Large-Scale Credential Theft Campaign Exploits Critical Laravel Livewire RCE Flaw
On May 24, 2026, cybersecurity firm Imperva uncovered a months-long credential theft campaign targeting a critical remote code execution (RCE) vulnerability in Laravel Livewire. The operation, tracked as CVE-2025-54068, has compromised over 6,167 applications worldwide, harvesting millions of sensitive credentials across industries, including e-commerce, healthcare, logistics, education, financial services, and government domains.
The flaw affects Laravel Livewire v3 (all versions up to v3.6.3) and stems from improper validation during the framework’s hydration process, which restores component state from browser requests. Attackers exploit this by injecting malicious serialized PHP objects, leveraging PHPGGC gadget chains to execute arbitrary code. Once exploited, the payload fetches a Bash-based credential stealer (shoc.enz) from the attacker’s command-and-control (C2) server at xantibot[.]pw, which was undetected on VirusTotal at the time of analysis.
The malware systematically scans infected systems for .env files, extracting high-value credentials such as database passwords, Stripe API keys, AWS IAM credentials, SMTP passwords, and JWT secrets. Analysis of the attacker’s infrastructure revealed 14,566 database passwords, 188 live Stripe keys, 381 AWS credentials, and over 26 million email addresses exfiltrated across three channels: a primary FTP server (47.129.100.149), Telegram for real-time alerts, and GoFile as a cloud backup.
Evidence points to an Indonesian-origin threat actor, with Indonesian-language comments in the malware, a hardcoded Asia/Jakarta timezone, and ties to the Telegram handle @ashtarotz and the C2 domain. The GoFile account was registered to azrilsyahputra1337@gmail[.]com, an address linked to multiple BreachForums data breaches between 2022 and 2026.
Victims include both commercial and open-source Laravel applications, such as Invoice Ninja, Akaunting, and Attendize, with no distinction between private and public-sector targets. Organizations running unpatched Laravel Livewire v3 are urged to upgrade to v3.6.4 or later to mitigate the flaw. Key indicators of compromise (IOCs) include the C2 domain (xantibot[.]pw), the FTP exfiltration server (47.129.100.149), and the SHA-256 hash of the shoc.enz malware.
Source: https://cyberpress.org/critical-laravel-livewire-rce-flaw-exploited/
Laravel cybersecurity rating report: https://www.rankiteo.com/company/laravel
"id": "LAR1782311560",
"linkid": "laravel",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Software',
'name': 'Invoice Ninja',
'type': 'Commercial/Open-Source Application'},
{'industry': 'Software',
'name': 'Akaunting',
'type': 'Commercial/Open-Source Application'},
{'industry': 'Software',
'name': 'Attendize',
'type': 'Commercial/Open-Source Application'},
{'industry': ['E-commerce',
'Healthcare',
'Logistics',
'Education',
'Financial Services',
'Government'],
'type': 'Organization'}],
'attack_vector': 'Remote Code Execution (RCE)',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['.env files'],
'number_of_records_exposed': 'Over 26 million email '
'addresses, 14,566 database '
'passwords, 188 Stripe keys, 381 '
'AWS credentials',
'personally_identifiable_information': 'Email addresses, '
'credentials',
'sensitivity_of_data': 'High (PII, financial credentials, '
'authentication secrets)',
'type_of_data_compromised': ['Database passwords',
'Stripe API keys',
'AWS IAM credentials',
'SMTP passwords',
'JWT secrets',
'Email addresses']},
'date_detected': '2026-05-24',
'date_publicly_disclosed': '2026-05-24',
'description': 'On May 24, 2026, cybersecurity firm Imperva uncovered a '
'months-long credential theft campaign targeting a critical '
'remote code execution (RCE) vulnerability in Laravel '
'Livewire. The operation, tracked as CVE-2025-54068, has '
'compromised over 6,167 applications worldwide, harvesting '
'millions of sensitive credentials across industries, '
'including e-commerce, healthcare, logistics, education, '
'financial services, and government domains.',
'impact': {'data_compromised': '14,566 database passwords, 188 live Stripe '
'keys, 381 AWS credentials, over 26 million '
'email addresses',
'identity_theft_risk': 'High (millions of email addresses and '
'credentials exposed)',
'payment_information_risk': 'High (Stripe API keys exposed)',
'systems_affected': '6,167 applications worldwide'},
'initial_access_broker': {'entry_point': 'Laravel Livewire RCE '
'(CVE-2025-54068)'},
'investigation_status': 'Ongoing',
'motivation': 'Data exfiltration, credential harvesting',
'post_incident_analysis': {'corrective_actions': 'Patch vulnerability, rotate '
'credentials, implement '
'monitoring for IOCs.',
'root_causes': 'Improper validation during Laravel '
"Livewire's hydration process, "
'leading to arbitrary code '
'execution via PHPGGC gadget '
'chains.'},
'recommendations': 'Upgrade Laravel Livewire to v3.6.4 or later, rotate all '
'exposed credentials, monitor for IOCs (C2 domain, FTP '
'server, malware hash).',
'references': [{'source': 'Imperva'},
{'source': 'VirusTotal'},
{'source': 'BreachForums'}],
'response': {'containment_measures': 'Upgrade to Laravel Livewire v3.6.4 or '
'later',
'remediation_measures': 'Patch vulnerability (CVE-2025-54068), '
'rotate exposed credentials',
'third_party_assistance': 'Imperva'},
'threat_actor': 'Indonesian-origin threat actor',
'title': 'Large-Scale Credential Theft Campaign Exploits Critical Laravel '
'Livewire RCE Flaw',
'type': 'Credential Theft',
'vulnerability_exploited': 'CVE-2025-54068 (Laravel Livewire v3 improper '
'validation during hydration process)'}