CVE-2025-43751 is a user enumeration vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various quarterly releases of Liferay DXP from 2023.Q3 through 2024.Q4. The vulnerability arises from an observable discrepancy on the create account page, which allows remote attackers to determine whether a specific user account exists within the application. This is classified under CWE-203 (Observable Discrepancy), indicating that the application leaks information through differences in responses or behaviors that can be measured by an attacker. The vulnerability requires no authentication, no user interaction, and can be exploited remotely over the network, making it relatively easy to leverage. The CVSS v4.0 base score is 6.9 (medium severity), reflecting the moderate impact primarily on confidentiality due to information disclosure. The vulnerability does not affect integrity or availability directly. No known exploits are currently reported in the wild, and no patches or fixes are linked in the provided data. The issue is significant because user enumeration can be a stepping stone for further attacks such as credential stuffing, phishing, or targeted social engineering by confirming valid usernames within an organization’s portal. Liferay Portal and DXP are widely used enterprise web platforms for building corporate intranets, websites, and digital experiences, often containing sensitive user data and access to internal resources.

For European organizations using Liferay Portal or DXP, this vulnerability poses a risk of information leakage that can facilitate targeted attacks. By enumerating valid user accounts, attackers can compile lists of legitimate usernames, which can be used in brute force or credential stuffing attacks, increasing the risk of unauthorized access. This is particularly concerning for organizations handling sensitive personal data under GDPR, as unauthorized access or data breaches could lead to regulatory penalties and reputational damage. Additionally, user enumeration can aid phishing campaigns by enabling attackers to craft convincing messages targeting real employees. Since Liferay is commonly deployed in sectors such as government, finance, education, and healthcare in Europe, the impact could extend to critical infrastructure and sensitive data environments. Although the vulnerability does not directly allow account takeover or system compromise, it lowers the barrier for subsequent attacks that could have severe consequences.

European organizations should implement specific mitigations beyond generic advice: 1) Monitor and analyze web application logs for unusual patterns of requests to the create account page that may indicate enumeration attempts. 2) Implement rate limiting and IP throttling on account creation and login endpoints to reduce automated probing. 3) Customize error messages and responses on the create account page to ensure uniformity regardless of whether the username exists, eliminating observable discrepancies. 4) Employ web application firewalls (WAFs) with rules designed to detect and block user enumeration techniques targeting Liferay portals. 5) Conduct internal security assessments and penetration tests focusing on user enumeration vectors in Liferay deployments. 6) Keep abreast of Liferay vendor advisories and apply patches promptly once available. 7) Educate users and administrators about the risks of user enumeration and encourage strong password policies and multi-factor authentication to mitigate risks from credential stuffing.