CVE-2025-43806 is a medium-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.112, and various 2023 quarterly releases up to Q4.7, as well as 7.4 GA through update 92. The vulnerability arises from an incorrect authorization check (CWE-863) in the Batch Engine component responsible for handling import and export tasks via REST APIs. Remote authenticated users can exploit this flaw to access exported data without proper permission validation. This means that users with valid credentials but limited privileges could retrieve sensitive data that should be restricted, potentially leading to unauthorized data disclosure. The CVSS 4.0 base score is 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The impact primarily affects confidentiality and integrity at a low level, with no direct impact on availability. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that remediation may still be pending or in progress. The vulnerability highlights a critical gap in access control enforcement within the Liferay Batch Engine's REST API endpoints, which could be leveraged by attackers to bypass intended data access restrictions.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of unauthorized data exposure. Since Liferay is widely used for enterprise content management, intranet portals, and customer-facing web applications, sensitive business data, user information, or proprietary content could be accessed by unauthorized internal users or attackers who have gained low-level credentials. This could lead to data breaches, loss of confidentiality, and potential compliance violations under GDPR, especially if personal data is involved. The medium severity suggests that while the vulnerability is not trivially exploitable by unauthenticated attackers, the requirement for authenticated access means insider threats or compromised accounts could be leveraged. The lack of user interaction needed increases the risk of automated exploitation once credentials are obtained. The impact on data integrity is limited but possible if attackers manipulate export/import tasks. Availability is not affected, so service disruption is unlikely. Overall, the vulnerability could undermine trust in Liferay-based portals and lead to regulatory and reputational damage for European entities.

Organizations should immediately audit their Liferay Portal and DXP deployments to identify affected versions. Until official patches are released, implement strict access controls on REST API endpoints related to import/export tasks, restricting them to highly trusted users only. Monitor logs for unusual access patterns to these APIs, especially from accounts with limited privileges. Employ network segmentation and firewall rules to limit exposure of Liferay management interfaces. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Review and tighten user roles and permissions to minimize the number of users with access to Batch Engine functionalities. Consider temporarily disabling or restricting batch import/export features if feasible. Stay alert for vendor advisories and apply security patches promptly once available. Additionally, conduct regular security assessments and penetration tests focusing on API authorization controls to detect similar weaknesses.