CISA issues alert on Livewire Filemanager RCE via PHP uploads

Livewire Filemanager, a component intended for embedding in Laravel applications, contains a flaw that permits uploaded PHP files to be executed on the host, enabling unauthenticated remote code execution and execution of arbitrary server-side code.

The issue is tracked as CVE-2025-14894 and involves LivewireFilemanagerComponent.php failing to perform file type and MIME validation, which allows remote code execution (RCE) via upload of a malicious PHP file; files uploaded by default can be served from the storage/app/public path when the php artisan storage:link command has been run, and a malicious PHP file can be accessed and executed through the /storage/ URL when passed a user ID alongside the request; Livewire Filemanager documentation states file type validation is out of scope and recommends users implement their own validation.

The vulnerability permits unauthenticated remote code execution as the web server user, enabling full read and write of files accessible to that user, as well as the capability to further pivot and compromise connecting devices, making CVE-2025-14894 a high impact vulnerability.

At the time of publication the vendor had not acknowledged the vulnerability; CERT/CC recommends increased caution with Livewire Filemanager and advises checking whether the php artisan storage:link command has been executed and, if so, considering removal of the tool's web serving capability.

CERT/CC guidance restated: exercise greater caution when using Livewire Filemanager, verify if php artisan storage:link enabled public serving of storage/app/public, and consider disabling that web-serving configuration for the component.

Dell’Oro Group reports data center capital expenditures surged 57 percent in 2025

Aviz Networks expands Aviz ONES integration with NVIDIA DSX Air for AI Factory networking validation

NVIDIA launches Vera Rubin platform with seven new chips for scalable AI infrastructure