Do Son 
- CVE: CVE-2025-54068
- CVSS: 9.8 (Critical · CVSSv3)
- Product: livewire/livewire (composer)
- Affected: >= 3.0.0-beta.1, < 3.6.4
- Impact: Livewire vulnerable to remote command execution during property update hydration
- Status: Exploited in the wild
- Patched in: 3.6.4
- EPSS: 59.4% (30-day)
- Action: Update to 3.6.4 now
At a glance
- Actor: Suspected Indonesian-origin threat actor (“Wong Gen Deng”)
- Activity Type: Unauthenticated Remote Code Execution (RCE) and credential theft
- Targets: E-commerce, healthcare, finance, education, and government sectors
- Scale: Over 6,000 applications compromised; 26 million email addresses stolen
- Jurisdiction: Active campaign; no official arrests or charges announced
- Source: Imperva Cloud WAF and threat intelligence researchers
TL;DR
Attackers are actively exploiting a critical Laravel Livewire vulnerability to steal sensitive data. The campaign exploits CVE-2025-54068 to extract database credentials and payment keys. Therefore, defenders must patch their systems immediately to prevent widespread data loss.
What happened
On May 24, 2026, Imperva blocked a massive wave of deserialization attack traffic. Analysts soon discovered a large-scale credential theft operation. This campaign exploited the Laravel Livewire vulnerability, known as CVE-2025-54068. It is a critical unauthenticated remote code execution flaw. Currently, the issue affects Laravel Livewire v3 up to version 3.6.3.
During its hydration process, the framework fails to verify data integrity. Consequently, an attacker can inject a malicious PHP object into a browser request. As a result, this triggers arbitrary code execution on the target server.
Next, the attacker deploys a Bash shell script named shoc.enz. This malware then scans the filesystem for .env files. Afterward, it extracts sensitive values like database passwords and application keys. Researchers detailed this activity in a recent Imperva report. The report states, “The campaign … has been running for several months, as evidenced by the large volume of stolen data.” Finally, the malware archives the stolen files and uploads them to remote servers.
Who is behind it
Security experts link this campaign to a suspected Indonesian threat actor. High-confidence indicators support this attribution. For instance, analysts found Indonesian-language comments in the malware source code. The timezone reference also points to Asia/Jakarta.
Furthermore, investigators identified the Telegram handle @ashtarotz. The actor uses the display name “Wong Gen Deng.” This account connects directly to a domain hosting the malware payload. Moreover, the attacker registered an exfiltration account using the email azrilsyahputra1337@gmail.com. Historical data places this email within underground breach forums since at least 2022. Law enforcement authorities have not announced any official charges.
Impact or scale
The scale of this credential theft operation is massive. The attacker’s exfiltration servers held data from 6,167 distinct applications. Victims span various sectors and dozens of countries. Targeting appeared indiscriminate across online gambling, e-commerce, and government domains.
The stolen files contained highly sensitive information. Attackers allegedly compromised database passwords for 14,566 systems. They also acquired 188 live Stripe secret keys and 381 valid AWS IAM credentials. The report notes, “A single .env file can provide everything needed to access the application’s database, impersonate users, process payments, and access cloud infrastructure.”
Additionally, the attacker’s FTP server held over 1,850 full database dumps. This confirms the stolen credentials were used to extract database contents. The actor also accumulated over 26 million email addresses.
What comes next and protection
Organizations running unpatched systems remain at severe risk. System administrators should update Laravel Livewire to version 3.6.4 or later immediately. This patch is the only reliable mitigation for CVE-2025-54068.
Network defenders must block outbound FTP traffic on port 21. Production servers rarely need this protocol. Security teams should also monitor for suspicious connections to api.telegram.org and upload.gofile.io.
If a compromise is suspected, administrators must rotate all database credentials immediately. They must also rotate Laravel APP_KEY values and review access logs. The initial server breach often serves as just the beginning of a larger data exposure.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
