CVE-2025-3586 is a high-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.3.27 through 7.4.3.42, and various 2023 and 2024 quarterly releases of Liferay DXP. The vulnerability arises from incorrect authorization controls (CWE-863) in the Objects module, which fails to restrict the execution of Groovy scripts in Object actions for users holding the Instance Administrator role. This flaw enables remote authenticated administrators to execute arbitrary Groovy scripts, effectively allowing remote code execution (RCE) within the affected Liferay instances. The vulnerability does not require user interaction but does require administrative privileges, which are typically limited to trusted personnel. Notably, Liferay DXP SaaS versions have mitigated this risk by disallowing Groovy script execution in Object actions altogether. Starting with Liferay DXP 2024.Q2, a configurable feature was introduced to allow administrators to enable or disable Groovy script execution, providing a security control to mitigate this risk. The CVSS 4.0 base score of 7.5 reflects the high impact on confidentiality, integrity, and availability, combined with the requirement for high privileges but no user interaction. No known exploits are currently reported in the wild, but the potential for severe impact remains significant due to the nature of RCE and administrative access.

For European organizations using affected versions of Liferay Portal or Liferay DXP, this vulnerability poses a significant risk. Successful exploitation could lead to full system compromise, data breaches, unauthorized data manipulation, and service disruption. Given Liferay's widespread use as a portal and content management platform in enterprises, government agencies, and public sector organizations across Europe, the vulnerability could impact sensitive information and critical business operations. Attackers leveraging this vulnerability could implant backdoors, exfiltrate confidential data, or disrupt services, potentially affecting compliance with GDPR and other data protection regulations. The requirement for administrative privileges somewhat limits the attack surface but insider threats or compromised admin credentials could be exploited. The ability to execute arbitrary Groovy scripts remotely elevates the risk of lateral movement and persistent threats within affected networks.

European organizations should immediately assess their Liferay Portal and DXP deployments to identify if they are running affected versions. Mitigation steps include: 1) Upgrading to Liferay DXP 2024.Q2 or later, where administrators can disable Groovy script execution in Object actions via Instance Settings; 2) For self-hosted or PaaS deployments, apply any available patches or updates from Liferay addressing this vulnerability; 3) Restrict and monitor administrative access rigorously, enforcing strong authentication mechanisms such as multi-factor authentication (MFA) for Instance Administrator roles; 4) Audit and review Object actions for unauthorized or suspicious Groovy scripts; 5) Implement network segmentation and monitoring to detect anomalous script execution or lateral movement; 6) Consider disabling Groovy scripting capabilities entirely if not required for business processes; 7) Maintain comprehensive logging and alerting on administrative activities within Liferay to detect potential exploitation attempts. These measures go beyond generic advice by focusing on configuration controls, access management, and proactive monitoring specific to this vulnerability.