CVE-2025-43754 is a username enumeration vulnerability affecting multiple versions of Liferay Portal and Liferay DXP products, specifically versions 7.4.0 through 7.4.3.132 and various quarterly releases of Liferay DXP from 2024.Q1 through 2024.Q4. The vulnerability is classified under CWE-208, which pertains to observable timing discrepancies that can be exploited to infer sensitive information. In this case, an attacker can determine whether a username exists in the system by measuring the difference in server processing time during login attempts. This timing discrepancy arises because the application processes valid and invalid usernames differently, causing measurable variations in response times. The vulnerability does not require any authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction required. The impact is limited to information disclosure, specifically the confirmation of valid usernames, which can be leveraged in subsequent targeted attacks such as password guessing, phishing, or social engineering. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. However, the presence of this vulnerability in widely used enterprise portal software makes it a relevant concern for organizations relying on Liferay Portal or DXP for their web presence or internal portals.

For European organizations using Liferay Portal or DXP, this vulnerability poses a moderate risk primarily related to information disclosure. By enumerating valid usernames, attackers can build a list of legitimate user accounts, which can facilitate more focused brute force attacks, credential stuffing, or spear-phishing campaigns targeting employees or customers. This can lead to unauthorized access if combined with weak or reused passwords. Additionally, knowledge of valid usernames can aid social engineering attacks that may compromise organizational security. While the vulnerability itself does not allow direct system compromise or data manipulation, it lowers the barrier for attackers to launch more damaging attacks. Organizations in sectors with high regulatory requirements for data protection (e.g., finance, healthcare, government) may face increased compliance risks if such enumeration leads to breaches. The timing-based nature of the attack means it can be automated and executed at scale, potentially affecting large user bases. Given Liferay's popularity in Europe for enterprise portals and intranet solutions, the impact is non-trivial and warrants timely mitigation.

To mitigate this vulnerability, organizations should implement the following specific measures: 1) Apply any official patches or updates from Liferay as soon as they become available, as these will address the timing discrepancy at the application level. 2) Implement uniform response times for login attempts regardless of username validity to eliminate timing side channels. This can be done by introducing artificial delays or standardizing backend processing paths. 3) Employ account lockout or throttling mechanisms to limit the rate of login attempts, reducing the feasibility of automated enumeration. 4) Monitor authentication logs for unusual patterns indicative of enumeration attempts, such as high volumes of login requests with varying usernames from single IP addresses. 5) Use multi-factor authentication (MFA) to reduce the risk of account compromise even if usernames are known. 6) Consider deploying web application firewalls (WAFs) with rules designed to detect and block timing-based enumeration attacks. 7) Educate users and administrators about the risks of username enumeration and encourage strong, unique passwords to mitigate downstream risks. These mitigations go beyond generic advice by focusing on eliminating timing discrepancies and detecting enumeration behavior specifically in the context of Liferay Portal environments.