CVE-2025-43768 is a medium-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.131, and various 2024 quarterly releases of Liferay DXP (Q1 through Q4) as well as 7.4 GA through update 92. The vulnerability is categorized under CWE-201, which involves the insertion of sensitive information into sent data. In this case, the flaw allows authenticated users with no special permissions to access sensitive information belonging to administrative users via the JSON Web Services (JSONWS) APIs. This means that even users with minimal privileges can leverage the API to retrieve confidential data about administrators, potentially exposing credentials, configuration details, or other sensitive metadata. The CVSS 4.0 vector indicates the attack requires network access (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction is required (UI:P), and results in low confidentiality impact (VC:L) with no impact on integrity or availability. The vulnerability does not appear to have known exploits in the wild yet, but the exposure of admin sensitive data could facilitate further attacks such as privilege escalation or targeted compromise of the portal environment. The issue stems from insufficient access control enforcement on the JSONWS API endpoints, allowing unauthorized data leakage. Given Liferay Portal's widespread use in enterprise content management and intranet portals, this vulnerability poses a significant risk if exploited.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability could lead to unauthorized disclosure of sensitive administrative information. Such data leakage can undermine the confidentiality of critical system credentials or configuration details, potentially enabling attackers to escalate privileges or conduct further targeted attacks within the corporate network. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government institutions across Europe. The exposure of admin data could also violate GDPR mandates on data security, leading to regulatory penalties and reputational damage. Since the vulnerability requires only authenticated access with minimal privileges, it increases the risk from insider threats or compromised low-privilege accounts. The medium severity rating reflects the moderate confidentiality impact but limited integrity and availability effects. However, the potential for lateral movement and deeper compromise elevates the overall risk posture for affected organizations.

European organizations should immediately audit their Liferay Portal and DXP deployments to identify affected versions. Since no patch links are provided, organizations should monitor Liferay's official channels for security updates or hotfixes addressing CVE-2025-43768. In the interim, restrict access to JSONWS APIs to trusted users only and implement strict network segmentation to limit exposure. Employ robust authentication and session management controls to reduce the risk of compromised low-privilege accounts. Review and tighten API permissions and consider disabling JSONWS APIs if not required. Conduct thorough logging and monitoring of API access to detect anomalous behavior indicative of exploitation attempts. Additionally, perform regular security assessments and penetration testing focused on API endpoints to identify and remediate similar access control weaknesses. Finally, educate users about the risks of privilege misuse and enforce the principle of least privilege across the portal environment.