IRONSMITHINTEL
HIGHCVSS8.1
|
Actively Exploited
|CISA KEV|CVE-2018-15133|Auth: none — unauthenticated|Reboot: required|Manual only

Laravel Deserialization of Untrusted Data Vulnerability

Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY environment variable).

Published Aug 9, 2018 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2024-02-06 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Deserialization of Untrusted Data (CWE-502) vulnerability in Laravel Laravel Framework. In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack. Exploitation requires remote network access, higher attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running laravel: v ≤ 5.5.40, 5.6.0 ≤ v ≤ 5.6.29
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

References

    1
    Vendor advisory: https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2018-15133
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15133
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2018-15133NVDVendor Advisory