CVE-2025-43798 is a vulnerability identified in multiple versions of Liferay DXP, specifically versions 7.3.10, 7.4.13, 2023.Q3.1, and 2023.Q4.0. The issue stems from a missing critical step in the authentication process related to the handling of time-based one-time passwords (TOTP). Normally, a TOTP is designed to be used once within its validity period to enhance security by preventing replay attacks. However, in the affected Liferay DXP versions, the same TOTP can be reused multiple times during its validity window. This flaw allows an attacker who has obtained a valid TOTP for a user to authenticate repeatedly as that user without needing to generate new tokens or credentials. The vulnerability is categorized under CWE-304, which refers to missing critical authentication steps, indicating a fundamental flaw in the authentication mechanism. The CVSS 4.0 base score is 2.1, reflecting a low severity primarily due to the high attack complexity and the requirement for user interaction. The attack vector is network-based, and no privileges or authentication are required to exploit it, but user interaction is necessary. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability impacts confidentiality by potentially allowing unauthorized access to user accounts but does not directly affect integrity or availability. The scope is limited to the authentication process of Liferay DXP instances running the specified versions.

For European organizations using Liferay DXP, this vulnerability poses a risk of unauthorized account access if an attacker can obtain a valid TOTP from a user. This could lead to unauthorized access to sensitive business portals, intranet resources, or customer-facing applications managed through Liferay DXP. While the low CVSS score suggests limited impact, the risk is heightened in environments where TOTP tokens might be intercepted or phished, especially in sectors with high-value data such as finance, healthcare, and government. The ability to reuse TOTPs undermines the multi-factor authentication mechanism, potentially allowing attackers to bypass a critical security control. This could facilitate lateral movement within networks or data exfiltration if combined with other vulnerabilities or compromised credentials. However, the requirement for user interaction and the high attack complexity reduce the likelihood of widespread exploitation. Organizations relying heavily on Liferay DXP for critical services should consider the potential for targeted attacks, especially in regulated industries where data confidentiality is paramount.

Organizations should implement compensating controls until an official patch is released. These include enforcing stricter monitoring and alerting on authentication anomalies such as multiple logins using the same TOTP within a short timeframe. Enhancing user education to prevent phishing and credential theft is critical, as attackers need access to valid TOTPs. Consider deploying additional layers of authentication or integrating hardware-based tokens that are less susceptible to reuse. Network segmentation and limiting access to Liferay DXP administrative interfaces can reduce exposure. Regularly review and update authentication logs to detect suspicious activity promptly. Once patches become available from Liferay, prioritize their deployment in all affected environments. Additionally, organizations can temporarily disable TOTP-based authentication if feasible or require additional verification steps during login to mitigate risk.