CVE-2025-43759 is a medium-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various quarterly releases of Liferay DXP from 2024.Q1.1 through 2025.Q1.0. The vulnerability is classified under CWE-732, which pertains to incorrect permission assignment for critical resources. In this case, the flaw allows an administrator of a virtual instance within the Liferay Portal environment to add pages that do not belong to the default or main virtual instance. This misconfiguration or design flaw leads to a scenario where any tenant (virtual instance) can enumerate or create a list of all other tenants within the same Liferay deployment. The vulnerability does not require authentication beyond admin privileges on a virtual instance, but it does require user interaction (UI access). The CVSS 4.0 base score is 6.7, indicating a medium severity level, with network attack vector, low attack complexity, no privileges required beyond admin on a virtual instance, and high impact on confidentiality due to tenant information disclosure. The vulnerability does not affect integrity or availability directly but compromises tenant isolation, which is critical in multi-tenant environments. No known exploits are currently in the wild, and no patches have been linked yet, indicating that organizations should be vigilant and monitor for updates. This vulnerability could be exploited to gather sensitive tenant information, potentially aiding further targeted attacks or lateral movement within the portal infrastructure.

For European organizations using Liferay Portal or Liferay DXP in multi-tenant configurations, this vulnerability poses a significant risk to tenant data confidentiality and privacy. Many European enterprises and public sector entities rely on Liferay for intranet, extranet, and customer-facing portals that host sensitive business or personal data. The ability for one tenant to enumerate all other tenants undermines the fundamental isolation expected in multi-tenant SaaS or hosted environments, potentially exposing tenant identities, configurations, or metadata that could be leveraged for social engineering, targeted phishing, or further exploitation. Given the strict data protection regulations in Europe, such as GDPR, unauthorized disclosure of tenant information could lead to regulatory penalties and reputational damage. Additionally, this vulnerability could facilitate insider threats or lateral movement by malicious administrators or compromised tenant accounts. While the vulnerability does not directly allow data modification or service disruption, the breach of tenant isolation is a critical security concern in shared environments.

Organizations should immediately review their Liferay Portal and DXP deployments to identify if they are running affected versions. Until official patches are released, administrators should restrict virtual instance admin privileges to trusted personnel only and monitor admin activities closely. Implement strict access controls and audit logging to detect any unusual tenant enumeration or page creation activities. Consider segmenting tenants physically or logically to reduce the risk of cross-tenant information leakage. Disable or limit the ability to add pages outside the default virtual instance if possible through configuration or custom policies. Engage with Liferay support or vendor channels to obtain patches or workarounds as soon as they become available. Additionally, conduct a thorough review of tenant metadata exposure and ensure that tenant identifiers or sensitive information are not unnecessarily exposed in UI elements or APIs. Finally, incorporate this vulnerability into incident response plans and perform penetration testing focused on multi-tenant isolation to proactively identify similar issues.