Last week, what initially looked like a routine performance problem turned into a full-scale security incident. Slow page loads and lagging Livewire components eventually led us to uncover an active crypto-mining operation running on our production server.

If you’re using Livewire in production, this is something you need to read.

The First Warning Signs

The issue began with degraded performance. Pages were taking longer to load, and Livewire components felt noticeably sluggish. Server monitoring showed a growing number of PHP-FPM processes stuck in a pending state, all consuming significant resources.

Because the problem appeared shortly after a deployment, we assumed it was related to the release. We terminated the processes, and performance immediately improved.

At the time, it looked resolved.

When the Problem Came Back

A few hours later, the slowdown returned — worse than before. CPU usage spiked close to 100% between 1:00 PM and 1:30 PM. This time, a deeper inspection revealed a suspicious long-running process that didn’t belong on the server.

It was a crypto-mining binary actively connecting to a Monero mining pool.

At that point, it was clear the server had been compromised.

What We Found on the Server

Further investigation uncovered multiple malicious files scattered throughout the application directories.

In the storage directory:

• gd.py

• guard.sh

• stmept

• wp-admin.php

In the public directory:

• A lock file: 339a36afe37df27417e6c26b684845d4.lock

• Several randomly named PHP files

• Another fake wp-admin.php

The most concerning discovery was the stmept binary. Even after deleting it and deploying fresh builds, it would reappear within minutes — a clear sign of persistent remote execution.

A Missed Warning

Looking back, there had been an earlier incident about a week prior. One of our other content sites had been compromised through remote file execution. The attackers wiped the index.php, leaving the site blank.

We cleaned the files and restored the site, but we never identified the initial entry point. At the time, we treated it as an isolated incident.

It wasn’t.

Chasing the Root Cause

With help from our hosting provider, we tried everything:

• Tightening request validation

• Reviewing installed Composer packages

• Scanning for backdoors using automated tools

• Killing processes and redeploying clean releases

Nothing stopped the malware from returning.

The breakthrough came after finding a blog post describing an almost identical attack pattern — same behavior, same crypto-mining setup, same persistence.

The Cause: CVE-2025-54068

The root issue was CVE-2025-54068, a remote code execution vulnerability disclosed in April 2025.

This vulnerability affects Livewire versions prior to 4.0 and allows attackers to execute arbitrary commands on the server through crafted requests — no authentication required.

At the time, we were running Livewire 3.5 across multiple projects.

Every one of them was vulnerable.

How We Fixed It

The solution was straightforward, but critical.

We updated all affected projects to Livewire 4.0 using Composer. Once the update was deployed:

• The malicious processes stopped reappearing

• CPU usage returned to normal

• No further suspicious files were created

The issue was fully resolved.

Key Takeaways

• Update immediately: If you’re running Livewire below version 4.0, upgrade now. This is a serious RCE vulnerability.

• Watch server performance closely: Unexpected CPU spikes can be a sign of compromise, not just bad code.

• Don’t ignore related incidents: Earlier attacks are often connected, even if they seem isolated.

• Performance problems can be security problems: Slow sites aren’t always just optimization issues.

What You Should Do Now

If Livewire is part of your stack:

1. Check your Livewire version

    

   composer show livewire/livewire

2. Upgrade to version 4.0 or later if you’re running anything older

3. Scan your storage and public directories for unfamiliar files

4. Review running processes for unusual or persistent CPU usage

This post was originally published on our blog to help raise awareness.
If you found it useful, consider sharing it with other Laravel and Livewire developers — this vulnerability is widespread and easy to miss.