CVE-2025-3586: CWE-863 Incorrect Authorization in Liferay Portal
In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts (i.e., remote code execution) through Object actions. In contrast, in Liferay DXP (Liferay SaaS), the use of Groovy in Object actions is not allowed due to the high security risks it poses. Starting from Liferay DXP 2024.Q2 and later, a new feature has been introduced in Instance Settings that allows administrators to configure whether Groovy scripts are allowed in their instances.
AI Analysis
Technical Summary
CVE-2025-3586 is a vulnerability classified under CWE-863 (Incorrect Authorization) affecting Liferay Portal versions 7.4.3.27 through 7.4.3.42 and several Liferay DXP versions released before 2024.Q2. The vulnerability arises because the Objects module permits remote authenticated users with the Instance Administrator role to execute arbitrary Groovy scripts within Object actions without proper authorization checks. Groovy scripting in this context allows powerful dynamic code execution on the server, effectively enabling remote code execution (RCE). This flaw is significant because it bypasses intended restrictions on script execution, granting high-privilege users the ability to run arbitrary code remotely. Liferay SaaS (Software as a Service) versions mitigate this risk by disallowing Groovy scripts in Object actions entirely. Starting with Liferay DXP 2024.Q2, a new configuration setting in Instance Settings allows administrators to enable or disable Groovy script execution, providing a security control to prevent exploitation. The vulnerability requires an attacker to have authenticated access with the Instance Administrator role, which is a high privilege level, but no additional user interaction is needed. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required beyond the admin role (PR:H), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H, I:H, A:H). No public exploits have been reported yet, but the potential for severe damage exists due to the ability to execute arbitrary code remotely.
Potential Impact
The impact of CVE-2025-3586 is substantial for organizations using affected Liferay Portal and DXP versions. Since the vulnerability allows remote code execution by authenticated Instance Administrators, attackers who compromise or misuse such accounts can execute arbitrary Groovy scripts on the server. This can lead to full system compromise, data theft, data manipulation, service disruption, or lateral movement within the network. Given Liferay's use in enterprise portals, intranets, and customer-facing applications, exploitation could result in exposure of sensitive corporate or customer data, defacement, or persistent backdoors. The requirement for high privileges limits the attack surface to trusted administrators or compromised admin accounts, but insider threats or credential theft scenarios increase risk. Organizations relying on self-hosted or PaaS deployments of Liferay Portal are particularly vulnerable. The lack of user interaction needed means automated or scripted attacks are feasible once admin credentials are obtained. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure. Overall, the vulnerability poses a high risk to confidentiality, integrity, and availability of affected systems.
Mitigation Recommendations
To mitigate CVE-2025-3586, organizations should first identify if they are running affected Liferay Portal or DXP versions (7.4.3.27 through 7.4.3.42 and specified DXP releases prior to 2024.Q2). Immediate steps include: 1) Restrict and audit Instance Administrator role assignments to trusted personnel only, minimizing the number of users with this high privilege. 2) Monitor and log all Object action executions and Groovy script usage to detect suspicious activity. 3) Upgrade to Liferay DXP 2024.Q2 or later, which introduces a configurable setting to disable Groovy script execution in Object actions, effectively mitigating the vulnerability. 4) For environments where upgrading is not immediately possible, disable or restrict Groovy scripting in Object actions if configurable, or apply custom access controls or patches if available from Liferay. 5) Implement strong authentication mechanisms (e.g., MFA) for admin accounts to reduce risk of credential compromise. 6) Regularly review and rotate admin credentials and monitor for anomalous admin behavior. 7) Network segmentation and limiting external access to Liferay admin interfaces can reduce exposure. 8) Stay alert for any published patches or advisories from Liferay and apply them promptly. These measures collectively reduce the likelihood of exploitation and limit potential damage.
Affected Countries
United States, Germany, United Kingdom, France, Canada, Australia, Japan, India, Brazil, Netherlands, South Korea, Singapore
CVE-2025-3586: CWE-863 Incorrect Authorization in Liferay Portal
Description
In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts (i.e., remote code execution) through Object actions. In contrast, in Liferay DXP (Liferay SaaS), the use of Groovy in Object actions is not allowed due to the high security risks it poses. Starting from Liferay DXP 2024.Q2 and later, a new feature has been introduced in Instance Settings that allows administrators to configure whether Groovy scripts are allowed in their instances.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-3586 is a vulnerability classified under CWE-863 (Incorrect Authorization) affecting Liferay Portal versions 7.4.3.27 through 7.4.3.42 and several Liferay DXP versions released before 2024.Q2. The vulnerability arises because the Objects module permits remote authenticated users with the Instance Administrator role to execute arbitrary Groovy scripts within Object actions without proper authorization checks. Groovy scripting in this context allows powerful dynamic code execution on the server, effectively enabling remote code execution (RCE). This flaw is significant because it bypasses intended restrictions on script execution, granting high-privilege users the ability to run arbitrary code remotely. Liferay SaaS (Software as a Service) versions mitigate this risk by disallowing Groovy scripts in Object actions entirely. Starting with Liferay DXP 2024.Q2, a new configuration setting in Instance Settings allows administrators to enable or disable Groovy script execution, providing a security control to prevent exploitation. The vulnerability requires an attacker to have authenticated access with the Instance Administrator role, which is a high privilege level, but no additional user interaction is needed. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required beyond the admin role (PR:H), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H, I:H, A:H). No public exploits have been reported yet, but the potential for severe damage exists due to the ability to execute arbitrary code remotely.
Potential Impact
The impact of CVE-2025-3586 is substantial for organizations using affected Liferay Portal and DXP versions. Since the vulnerability allows remote code execution by authenticated Instance Administrators, attackers who compromise or misuse such accounts can execute arbitrary Groovy scripts on the server. This can lead to full system compromise, data theft, data manipulation, service disruption, or lateral movement within the network. Given Liferay's use in enterprise portals, intranets, and customer-facing applications, exploitation could result in exposure of sensitive corporate or customer data, defacement, or persistent backdoors. The requirement for high privileges limits the attack surface to trusted administrators or compromised admin accounts, but insider threats or credential theft scenarios increase risk. Organizations relying on self-hosted or PaaS deployments of Liferay Portal are particularly vulnerable. The lack of user interaction needed means automated or scripted attacks are feasible once admin credentials are obtained. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure. Overall, the vulnerability poses a high risk to confidentiality, integrity, and availability of affected systems.
Mitigation Recommendations
To mitigate CVE-2025-3586, organizations should first identify if they are running affected Liferay Portal or DXP versions (7.4.3.27 through 7.4.3.42 and specified DXP releases prior to 2024.Q2). Immediate steps include: 1) Restrict and audit Instance Administrator role assignments to trusted personnel only, minimizing the number of users with this high privilege. 2) Monitor and log all Object action executions and Groovy script usage to detect suspicious activity. 3) Upgrade to Liferay DXP 2024.Q2 or later, which introduces a configurable setting to disable Groovy script execution in Object actions, effectively mitigating the vulnerability. 4) For environments where upgrading is not immediately possible, disable or restrict Groovy scripting in Object actions if configurable, or apply custom access controls or patches if available from Liferay. 5) Implement strong authentication mechanisms (e.g., MFA) for admin accounts to reduce risk of credential compromise. 6) Regularly review and rotate admin credentials and monitor for anomalous admin behavior. 7) Network segmentation and limiting external access to Liferay admin interfaces can reduce exposure. 8) Stay alert for any published patches or advisories from Liferay and apply them promptly. These measures collectively reduce the likelihood of exploitation and limit potential damage.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Liferay
- Date Reserved
- 2025-04-14T12:30:41.451Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68b5e345ad5a09ad00d1e197
Added to database: 9/1/2025, 6:17:41 PM
Last enriched: 2/27/2026, 1:58:54 AM
Last updated: 3/25/2026, 12:48:41 AM
Views: 354
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.