CVE-2025-3586 is a high-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.3.27 through 7.4.3.42, and various 2023 and 2024 quarterly releases of Liferay DXP (including both PaaS and self-hosted deployments). The vulnerability arises from improper authorization controls (CWE-863) in the Objects module, which fails to restrict the execution of Groovy scripts within Object actions for users holding the Instance Administrator role. This flaw enables remote authenticated administrators to execute arbitrary Groovy scripts, effectively allowing remote code execution (RCE) on the affected system. Notably, this risk is mitigated in Liferay DXP SaaS offerings where Groovy script execution in Object actions is disabled by default. Starting with Liferay DXP 2024.Q2 and later, administrators gain the ability to configure the allowance of Groovy scripts via Instance Settings, providing a security control to reduce exposure. The CVSS 4.0 base score of 7.5 reflects a high severity, with network attack vector, high attack complexity, no user interaction required, and privileges required at the administrator level. The vulnerability does not appear to have known exploits in the wild yet, but its potential impact is significant due to the possibility of arbitrary code execution by privileged users.

For European organizations using affected versions of Liferay Portal or Liferay DXP, this vulnerability poses a serious risk to system confidentiality, integrity, and availability. Since the flaw requires an authenticated user with Instance Administrator privileges, the threat is primarily from insider threats or compromised administrator accounts. Successful exploitation could lead to full system compromise, data breaches, unauthorized data manipulation, and disruption of critical business services hosted on Liferay platforms. Given Liferay's popularity in enterprise content management and portal solutions across Europe, especially in sectors like government, finance, and telecommunications, exploitation could result in significant operational and reputational damage. Additionally, the ability to execute arbitrary Groovy scripts could facilitate lateral movement within networks and deployment of further malware or ransomware, amplifying the threat impact. The lack of user interaction and network-based attack vector increases the risk of automated or remote exploitation once credentials are obtained.

European organizations should immediately assess their Liferay Portal and DXP deployments to identify affected versions. Specific mitigation steps include: 1) Upgrading to Liferay DXP 2024.Q2 or later where administrators can disable Groovy script execution in Object actions via Instance Settings, effectively eliminating this attack vector. 2) If upgrading is not immediately feasible, restrict Instance Administrator privileges strictly to trusted personnel and enforce strong multi-factor authentication (MFA) to reduce risk of credential compromise. 3) Conduct thorough audits of existing Object actions to identify and remove any unauthorized or risky Groovy scripts. 4) Monitor logs and system behavior for unusual script execution or administrative activity indicative of exploitation attempts. 5) Implement network segmentation and least privilege principles to limit the impact of any potential compromise. 6) Engage with Liferay support or security advisories for any available patches or hotfixes, and apply them promptly once released. 7) Educate administrators on the risks of Groovy script usage and enforce policies to govern their use.