Unpatched RCE in Livewire Filemanager Grants Full Server Access

A critical vulnerability has emerged within a popular utility for the Laravel framework, effectively transmuting a standard file uploader into a conduit for remote arbitrary code execution. The flaw resides in Livewire Filemanager, where a systemic oversight permits unauthenticated adversaries to upload malicious PHP binaries to the server and subsequently invoke them via a conventional web browser.

Designated as CVE-2025-14894 (with a CVSS score of 7.5), this vulnerability afflicts the LivewireFilemanagerComponent.php component. The crux of the issue lies in the module’s failure to scrutinize file extensions or MIME types during the ingress process. While the developers originally posited that file filtration was the prerogative of the end-user, the confluence of this permissive architecture and Laravel’s standard configurations facilitates a trivial exploitation path.

In many Laravel environments, the deployment of the php artisan storage:link command creates a public symbolic link to the storage/app/public directory, ostensibly to serve assets via the web. Under normal circumstances, this is a secure practice; however, as Livewire Filemanager permits the upload of any PHP script, these files become instantly accessible via a public URL within the /storage path.

An attacker need only upload a crafted script and access it through a browser to achieve execution on the server under the privileges of the web user—entirely bypassing authentication. This breach grants comprehensive file access, the ability to establish persistent backdoors, and the potential for lateral movement throughout the infrastructure.

According to CERT/CC, the ramifications are catastrophic, granting full control over the web server’s environment. Through this foothold, malicious actors may maintain persistence, exfiltrate sensitive intelligence, or repurpose the server as a vanguard for assaults on adjacent network nodes.

At this juncture, the developers of Livewire Filemanager have yet to formally acknowledge the defect or disseminate a remediation. Security experts urgently advise Laravel administrators to ascertain whether Livewire Filemanager is being utilized in tandem with public storage links. If the symbolic link has already been established, it is recommended to temporarily rescind web access to the upload directory or excise the Filemanager entirely until a definitive patch is authored.