CVE-2025-43759 is a medium-severity vulnerability classified under CWE-732, which concerns incorrect permission assignment for critical resources. This vulnerability affects multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132, and various quarterly releases of Liferay DXP from 2024.Q1.1 through 2025.Q1.0. The core issue arises from the ability of admin users within a virtual instance (tenant) to add pages that do not belong to the default or main virtual instance. This misconfiguration or design flaw allows any tenant to enumerate or create a list of all other tenants within the same Liferay Portal environment. The vulnerability does not require authentication beyond admin privileges within a tenant, but it does require user interaction (UI access). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, so admin privileges are needed), user interaction required (UI:A), and high impact on confidentiality (VC:H), with no impact on integrity or availability. Essentially, the vulnerability leaks tenant information across virtual instances, violating tenant isolation principles critical in multi-tenant environments. Although no known exploits are reported in the wild, the exposure of tenant lists can facilitate further targeted attacks or reconnaissance by malicious actors. This vulnerability is particularly relevant for organizations using Liferay Portal or DXP in multi-tenant configurations, where tenant data segregation is paramount.

For European organizations deploying Liferay Portal or DXP in multi-tenant environments, this vulnerability poses a significant risk to confidentiality and tenant isolation. The ability for one tenant to enumerate all other tenants undermines the trust model and could lead to privacy violations, regulatory non-compliance (e.g., GDPR), and increased attack surface for subsequent targeted attacks such as phishing, social engineering, or lateral movement. While the vulnerability does not directly allow data modification or denial of service, the exposure of tenant identities can facilitate more sophisticated attacks. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, are particularly vulnerable to reputational and legal consequences if tenant information is leaked. The medium CVSS score reflects the moderate ease of exploitation by privileged users and the significant confidentiality impact. Given the multi-tenant nature of Liferay deployments, the scope of affected systems can be broad within an organization or service provider hosting multiple tenants.

1. Apply official patches or updates from Liferay as soon as they become available to address this permission assignment flaw. 2. Until patches are released, restrict admin privileges within virtual instances to only trusted personnel and audit admin activities regularly. 3. Review and harden tenant isolation configurations, ensuring that page creation and management permissions are strictly enforced and limited to the default virtual instance where appropriate. 4. Implement monitoring and alerting for unusual tenant enumeration activities or cross-tenant access attempts. 5. Conduct thorough security assessments and penetration tests focusing on multi-tenant isolation boundaries within Liferay environments. 6. Consider network segmentation and access controls to limit administrative access to Liferay portals. 7. Educate administrators on the risks of cross-tenant information leakage and enforce the principle of least privilege. 8. Maintain an inventory of all tenants and their admin users to quickly identify and respond to suspicious activities.