CVE-2025-43784 is an Improper Access Control vulnerability (CWE-863) identified in Liferay Portal versions 7.4.0 through 7.4.3.124 and multiple Liferay DXP 2024 releases (Q1 and Q2 series). The vulnerability allows guest (unauthenticated) users to access object entries information via the API Builder component of the portal. This means that unauthorized users can retrieve sensitive or restricted data objects that should normally require proper authorization checks. The flaw stems from incorrect authorization logic that fails to properly restrict access to certain API endpoints, allowing data exposure without authentication or with minimal privileges. The CVSS v4.0 base score is 6.2 (medium severity), reflecting a network attack vector with low attack complexity, no privileges required, but requiring user interaction. The scope is high, indicating that the vulnerability affects components beyond the initially vulnerable component, potentially impacting multiple parts of the system. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. This vulnerability impacts Liferay Portal and Liferay DXP, which are widely used enterprise-grade content management and collaboration platforms, often deployed in corporate intranets, extranets, and public-facing web portals. The API Builder is a key feature for integrating and exposing data objects, so unauthorized access here can lead to data leakage and potential further exploitation if sensitive information is exposed.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a significant risk of unauthorized data disclosure. Since guest users can access object entries without proper authorization, sensitive business data, customer information, or internal records could be exposed to external attackers or unauthorized internal users. This can lead to breaches of data protection regulations such as GDPR, resulting in legal penalties and reputational damage. The medium severity score indicates that while the vulnerability does not allow full system compromise or remote code execution, the confidentiality impact is notable. Organizations relying on Liferay for customer portals, intranet services, or public-facing applications may face data leakage risks. Additionally, the high scope impact suggests that multiple components or integrated systems could be affected, amplifying the potential damage. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once details become public. The requirement for user interaction (UI:A) implies some form of user action is needed, such as visiting a crafted URL or interacting with a malicious link, which is plausible in phishing or social engineering scenarios targeting employees or customers.

European organizations should immediately review their Liferay Portal and DXP deployments to identify if they are running affected versions (7.4.0 through 7.4.3.124 and specified 2024 Q1/Q2 releases). In the absence of an official patch, organizations should implement strict network-level access controls to limit guest or anonymous access to the API Builder endpoints. This can include firewall rules, web application firewall (WAF) policies, or reverse proxy configurations to restrict or block unauthenticated API calls. Administrators should audit API permissions and disable or restrict guest access where possible. Monitoring and logging API access attempts, especially from unauthenticated users, can help detect exploitation attempts early. User education to recognize phishing or suspicious links that might trigger user interaction is also advised. Once a vendor patch or update is released, organizations must prioritize prompt testing and deployment. Additionally, organizations should conduct a thorough review of exposed data objects to assess potential data leakage and implement data minimization or encryption where feasible to reduce the impact of unauthorized access.