CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 24, 2026

Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability

Cybersecurity News Archived Jun 24, 2026 ✓ Full text saved

A large-scale cyber campaign targeting Laravel Livewire applications has been uncovered, with attackers exploiting a critical remote code execution (RCE) flaw to steal sensitive credentials from thousands of systems worldwide. Security researchers at Imperva first observed the activity on May 24, 2026, when their Cloud Web Application Firewall blocked suspicious deserialization attacks that were later […] The post Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vuln

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability By Abinaya June 24, 2026 A large-scale cyber campaign targeting Laravel Livewire applications has been uncovered, with attackers exploiting a critical remote code execution (RCE) flaw to steal sensitive credentials from thousands of systems worldwide. Security researchers at Imperva first observed the activity on May 24, 2026, when their Cloud Web Application Firewall blocked suspicious deserialization attacks that were later linked to active exploitation of CVE-2025-54068. The vulnerability affects Laravel Livewire v3 versions up to 3.6.3 and stems from improper validation during the framework’s hydration process. When the application state is restored from user input, the framework fails to verify data integrity before deserialization. This flaw allows unauthenticated attackers to inject malicious serialized PHP objects, ultimately enabling arbitrary command execution on vulnerable servers. Analysis of captured attack traffic shows that attackers leveraged PHPGGC gadget chains to construct payloads that execute remote shell commands. Laravel Livewire Apps Compromised In observed cases, compromised systems were instructed to download a malicious Bash script from a command-and-control server and execute it silently in the background. This script, identified as “shoc.enz,” is a credential-harvesting tool designed to locate and extract sensitive configuration data from Laravel environments. Once deployed, the malware scans the entire file system for .env files, which store critical application secrets such as database credentials, API keys, and encryption values. Exposed Backup Files Leak Sensitive Data (source: Imperva ) It extracts key fields including database hostnames, usernames, passwords, and application keys, then stages and compresses the data before exfiltrating it through multiple channels. To evade detection, the script removes traces of its activity after execution. According to researchers at Imperva, attackers used a multi-channel exfiltration setup involving an FTP server, the Telegram API, and the cloud storage platform GoFile. The FTP server alone contained thousands of stolen files, including over 1,850 full database dumps. In total, credentials from 6,167 unique applications were recovered, spanning sectors such as e-commerce, healthcare, finance, education, and government. Further analysis revealed the scale of the breach. Among the stolen data were more than 14,000 valid database passwords, 188 live Stripe payment keys, 381 AWS credentials, and thousands of OAuth secrets and SMTP credentials. GoFile exfiltration account (source: Imperva ) Many of these belonged to production environments, significantly increasing the risk of follow-on attacks such as financial fraud, data theft, and account takeover. Attribution indicators suggest the campaign is linked to an Indonesian-origin threat actor. Evidence includes Indonesian-language comments embedded in the malware, infrastructure associated with the Asia/Jakarta timezone, and connections to a Telegram account linked to the operation. The domain hosting the malicious payload masqueraded as a legitimate anti-bot service, further aiding in deception. The attack campaign appears to rely on indiscriminate internet-wide scanning to identify vulnerable Laravel deployments. Targets spanned a wide range of industries and geographic regions, with no clear preference for either private enterprises or public-sector organizations. Even widely used open-source Laravel applications were found among the victims. Security experts warn that this campaign demonstrates how a single unpatched vulnerability can enable mass-scale credential harvesting. Organizations using Laravel Livewire are strongly advised to upgrade to version 3.6.4 or later to mitigate the flaw. Additionally, restricting outbound connections, monitoring unusual API traffic, and rotating compromised credentials are critical steps to reduce risk and prevent further exploitation. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Tata Electronics Data Breach Exposes Confidential Apple and Tesla Documents Critical FFmpeg Vulnerability Allows Attackers to Weaponize Media Files F5 Patches NGINX Vulnerability That Enables Code Execution and DoS Attacks LastPass Customer Data Exposed in Klue Supply Chain Attack Hackers Use ClickFix Prompt to Install MSI Package and Launch Hands-On-Keyboard Attack Latest News Cyber Security News White House Orders Federal Agencies to Migrate Systems to Post-Quantum Cryptography Cyber Security News PoC Exploit Released for libssh2 Remote Code Execution Vulnerability Cyber Security News Browser-in-the-Browser Kit Uses Fake Software Errors to Deliver Malware Installers Cyber Security News GhostShell Malware Uses mTLS Implant and Telegram Dead-Drop to Target Ukrainian Drone Operations Cyber Security Red-Team AI Tool Vulnerabilities Let Attackers Exfiltrate API Keys and Compromise Operators’ Systems
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗