CVE-2025-43773 is a medium severity security vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various quarterly releases from 2024.Q1.1 through 2025.Q2.1. The vulnerability is classified under CWE-862, which denotes Missing Authorization. The core issue lies in the expandoTableLocalService, a service that provides powerful database operations. This service is exposed within the Notifications Templates component without proper permission checks, allowing unauthorized users to access or manipulate data they should not have permission to. The vulnerability does not require the attacker to have elevated privileges (PR:H indicates high privileges required), but user interaction is necessary (UI:A). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H), user interaction required (UI:A), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:N). This suggests that while exploitation is possible remotely, it requires some user interaction and elevated privileges, and the impact on system security is limited but non-negligible. The lack of proper authorization checks in a service that can perform database operations could allow attackers to read or modify data improperly, potentially leading to data leakage or unauthorized data manipulation within the Liferay Portal environment. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations should be vigilant and monitor for updates from Liferay.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability could lead to unauthorized access or modification of sensitive data managed within the portal. Given Liferay's use in enterprise intranets, customer portals, and content management systems, exploitation could compromise business-critical information, disrupt workflows, or expose personal data subject to GDPR regulations. The medium severity rating reflects limited but meaningful risk, especially in environments where user privileges are not tightly controlled or where the Notifications Templates feature is widely used. The requirement for user interaction and elevated privileges somewhat limits the attack surface, but insider threats or phishing attacks could leverage this vulnerability to escalate access or manipulate data. This could result in reputational damage, regulatory fines, and operational disruption for affected organizations.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict access to the Notifications Templates feature and the expandoTableLocalService to only trusted and necessary users, minimizing the number of users with elevated privileges. 2) Employ strict role-based access controls (RBAC) and regularly review permissions to ensure no excessive privileges are granted. 3) Monitor logs for unusual access patterns or unauthorized attempts to use the expandoTableLocalService. 4) Educate users about phishing and social engineering risks to reduce the likelihood of user interaction-based exploitation. 5) Stay alert for official patches or updates from Liferay and apply them promptly once available. 6) Consider implementing application-layer firewalls or web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable service. 7) Conduct penetration testing focused on authorization controls within Liferay Portal to identify and remediate similar weaknesses proactively.