CVE-2025-43790 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.124, and various 2024 Q1 and Q2 releases. The vulnerability arises from improper authorization checks when handling user-controlled keys that reference objects across virtual instances within the Liferay environment. This flaw allows a remote authenticated user with limited privileges in one virtual instance to access, create, edit, or relate data or object entries belonging to a different virtual instance. Essentially, the authorization bypass enables cross-instance data manipulation, violating data isolation principles critical in multi-tenant deployments. The vulnerability is classified under CWE-639, which pertains to authorization bypass through user-controlled keys. The CVSS 4.0 base score is 7.4 (high), reflecting network attack vector, low attack complexity, partial authentication required, user interaction needed, and high impact on confidentiality and integrity. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that organizations must proactively monitor for updates. The vulnerability's exploitation could lead to unauthorized data exposure, data tampering, and potential compromise of business logic or workflows that rely on strict data partitioning between virtual instances.

For European organizations using Liferay Portal or DXP, especially those deploying multi-tenant or virtual instance configurations, this vulnerability poses significant risks. Unauthorized cross-instance access can lead to exposure of sensitive data belonging to different business units, clients, or partners, violating GDPR and other data protection regulations. Data integrity could be compromised by unauthorized edits or relationships created between objects, potentially disrupting business processes, reporting, or compliance controls. The breach of data isolation may also undermine trust in service providers or internal IT governance. Given Liferay's popularity in sectors such as government, finance, and education across Europe, exploitation could result in regulatory penalties, reputational damage, and operational disruptions. The requirement for authentication and user interaction somewhat limits exploitation to insiders or compromised accounts, but the ease of bypassing authorization controls once authenticated elevates the threat level.

European organizations should immediately audit their Liferay Portal and DXP deployments to identify affected versions and virtual instance configurations. Until official patches are released, organizations should implement strict access controls and monitoring on user accounts with privileges to multiple virtual instances. Employ network segmentation and application-layer firewalls to restrict access paths between virtual instances. Review and harden authentication mechanisms to reduce the risk of compromised credentials. Implement detailed logging and anomaly detection focused on cross-instance data access patterns to detect potential exploitation attempts. Engage with Liferay support or security advisories to obtain patches or workarounds as soon as they become available. Additionally, conduct security training for administrators and users to recognize and report suspicious activities related to cross-instance data access. Finally, consider temporary disabling or restricting features that allow cross-instance object manipulation if feasible.