CVE-2025-3639 is an authentication bypass vulnerability identified in Liferay Portal versions 7.3.0 through 7.4.3.132 and multiple Liferay DXP releases from 2024.Q1 through 2025.Q1.6. The vulnerability arises due to improper handling of HTTP request methods in the login process when Multi-Factor Authentication (MFA) is enabled. Specifically, an attacker with valid credentials can bypass the intended login process by altering the HTTP request method from POST to GET. This bypass allows the attacker to circumvent MFA protections, effectively gaining unauthorized access despite the presence of additional authentication layers. The root cause is classified under CWE-288, which pertains to authentication bypass using an alternate path or channel. The vulnerability requires the attacker to have valid credentials, indicating that it is not exploitable by unauthenticated users. The CVSS 4.0 score is low (2.0), reflecting the requirement for high privileges (PR:H), user interaction (UI:P), and the presence of multiple mitigating factors such as high attack complexity (AC:H) and partial impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability's impact is limited by the need for valid credentials and user interaction, but it undermines the security benefits of MFA, which is a critical control in modern authentication frameworks.

For European organizations using affected Liferay Portal or DXP versions, this vulnerability poses a risk primarily to the integrity of their authentication systems. Since MFA is widely adopted in Europe as a regulatory and security best practice, the ability to bypass MFA undermines compliance efforts and increases the risk of unauthorized access to sensitive corporate portals, intranets, or customer-facing services. The impact includes potential exposure of confidential business information, unauthorized modification of data, and disruption of services if attackers leverage this bypass to escalate privileges or move laterally within networks. However, the requirement for valid credentials limits the threat to insiders or attackers who have already compromised user credentials through phishing or other means. The low CVSS score suggests limited direct impact, but the bypass of MFA—a critical security control—could facilitate more severe downstream attacks if combined with other vulnerabilities or credential theft. European organizations in sectors with strict data protection regulations (e.g., GDPR) may face compliance risks and reputational damage if this vulnerability is exploited.

Organizations should immediately review and upgrade their Liferay Portal and DXP installations to versions beyond those affected once patches are released. Until patches are available, administrators should consider implementing additional compensating controls such as: 1) Enforcing strict HTTP method validation on authentication endpoints to reject GET requests for login operations. 2) Monitoring and alerting on unusual HTTP method usage patterns or authentication attempts that deviate from expected POST requests. 3) Enhancing credential security by enforcing strong password policies and continuous monitoring for credential compromise. 4) Employing network-level controls such as Web Application Firewalls (WAFs) configured to block anomalous request methods targeting login endpoints. 5) Conducting regular security assessments and penetration tests focusing on authentication flows and MFA implementations. 6) Educating users about phishing and credential theft risks to reduce the likelihood of attackers obtaining valid credentials. These measures will help mitigate the risk until official patches are applied.