CVE-2025-43763 is a Server-Side Request Forgery (SSRF) vulnerability identified in Liferay Portal versions 7.4.0 through 7.4.3.131 and multiple Liferay DXP 2024 quarterly releases (Q1 through Q4). The vulnerability specifically affects custom object attachment fields within these products. SSRF vulnerabilities allow an attacker to manipulate the server into making unauthorized HTTP requests to internal or external systems. In this case, the flaw enables an attacker to craft requests that cause the Liferay Portal to create new object entries linking to external resources, potentially bypassing intended access controls. The vulnerability requires high privileges (PR:H) and some user interaction (UI:P) to exploit, with low complexity (AC:L) and no authentication bypass (VA:N). The CVSS v4.0 base score is 4.8, indicating a medium severity level. Although no known exploits are currently reported in the wild, the vulnerability poses a risk of internal network reconnaissance, unauthorized data access, or interaction with internal services that are otherwise inaccessible externally. The scope is limited to the affected Liferay Portal and DXP versions, and the impact on confidentiality and integrity is low to limited, with no direct availability impact reported. The vulnerability was published on September 8, 2025, and no patches or fixes have been linked yet, indicating organizations should monitor for vendor updates and advisories.

For European organizations using Liferay Portal or Liferay DXP within the affected versions, this SSRF vulnerability could allow attackers with high privileges and some user interaction to perform unauthorized requests from the server. This can lead to internal network scanning, accessing sensitive internal services, or leveraging the portal to interact with external malicious resources. Given Liferay's widespread use in enterprise content management and intranet portals across Europe, exploitation could compromise internal data confidentiality and integrity, especially if internal systems are exposed via the SSRF channel. However, the medium severity and requirement for high privileges reduce the likelihood of widespread exploitation. Still, organizations in sectors such as finance, government, healthcare, and critical infrastructure that rely on Liferay for internal portals could face targeted attacks aiming to pivot within their networks or exfiltrate sensitive information. The lack of known exploits currently reduces immediate risk, but the presence of this vulnerability in actively maintained versions necessitates prompt attention to avoid future exploitation.

1. Immediately audit and inventory all Liferay Portal and DXP instances to identify affected versions (7.4.0 through 7.4.3.131 and 2024.Q1 through Q4 releases as specified). 2. Restrict high privilege user roles and monitor for unusual user interactions that could trigger SSRF exploitation. 3. Implement network segmentation and firewall rules to limit the Liferay server's ability to make arbitrary outbound requests, especially to internal services. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SSRF patterns targeting custom object attachment fields. 5. Monitor logs for anomalous request patterns or creation of object entries linking to unexpected external resources. 6. Engage with Liferay support and subscribe to security advisories to apply patches or updates promptly once available. 7. Consider temporary disabling or restricting the use of custom object attachment fields if feasible until a patch is released. 8. Conduct internal penetration testing focusing on SSRF vectors to validate the effectiveness of mitigations and detect potential exploitation attempts.