CVE-2025-43789 is a vulnerability classified under CWE-863 (Incorrect Authorization) affecting Liferay Portal versions 7.4.0 through 7.4.3.119 and Liferay DXP versions 2024.Q1.1 through 2024.Q1.9, as well as 7.4 GA through update 92 published to OSGi. The issue arises because JSON Web Services in these Liferay Portal versions are registered and invoked directly as classes, which leads to the execution of Service Access Policies. This design flaw can result in improper authorization checks, potentially allowing users with limited privileges to access or invoke services they should not be authorized to use. However, the vulnerability has a low CVSS 4.0 base score of 1.0, indicating limited impact and exploitability. The vector metrics show that the attack requires adjacent network access (AV:A), high attack complexity (AC:H), no privileges required (PR:L), and user interaction is needed (UI:A). The vulnerability impacts confidentiality and integrity at a low level and does not affect availability. No known exploits are currently in the wild, and no patches have been linked yet. The root cause is the direct invocation of JSON Web Services classes without sufficient authorization enforcement, which could allow unauthorized service access if an attacker can meet the conditions for exploitation. Given the complexity and prerequisites, exploitation is unlikely to be widespread or trivial.

For European organizations using affected Liferay Portal or DXP versions, the impact of CVE-2025-43789 is expected to be low. The vulnerability could allow limited unauthorized access to certain JSON Web Services, potentially exposing sensitive data or enabling minor unauthorized actions within the portal environment. However, the requirement for adjacent network access and user interaction reduces the risk of remote or automated exploitation. Organizations with Liferay deployments in sensitive sectors such as government, finance, or healthcare should still consider the risk, as even low-severity authorization flaws can be leveraged as part of a larger attack chain. The low severity and absence of known exploits suggest that immediate operational impact is minimal, but the vulnerability could be used for reconnaissance or privilege escalation in targeted attacks. European organizations relying heavily on Liferay for intranet portals, customer engagement, or digital experience platforms should assess their exposure and monitor for any emerging exploit attempts.

To mitigate CVE-2025-43789, European organizations should: 1) Identify and inventory all Liferay Portal and DXP instances, verifying versions against the affected range. 2) Apply any forthcoming official patches or updates from Liferay as soon as they become available. 3) Restrict network access to Liferay JSON Web Services endpoints to trusted internal networks only, minimizing exposure to adjacent network attackers. 4) Implement strict access controls and monitoring on service invocation logs to detect unusual or unauthorized service calls. 5) Employ Web Application Firewalls (WAFs) with custom rules to block suspicious JSON Web Services requests that do not conform to expected usage patterns. 6) Educate users about phishing and social engineering risks to reduce the likelihood of user interaction-based exploitation. 7) Conduct regular security assessments and penetration tests focusing on authorization controls within the Liferay environment. These measures go beyond generic advice by focusing on network segmentation, monitoring, and user awareness tailored to the specific nature of this vulnerability.