CVE-2025-62251 identifies a security vulnerability in Liferay Portal and Liferay DXP products spanning versions 7.3.0 through 7.4.3.119 and multiple 2023 Q3 and Q4 releases. The vulnerability stems from CWE-732, which is an incorrect permission assignment for critical resources. Specifically, the Menu Display Widget component fails to enforce proper access controls, allowing users who do not have explicit permission to view certain content to access it nonetheless. This results in unauthorized disclosure of potentially sensitive information. The vulnerability is network exploitable (AV:N), requires low attack complexity (AC:L), does not require authentication (AT:N), but does require privileges at a high level (PR:H) and user interaction (UI:P). The impact on confidentiality and integrity is low, with no impact on availability. The scope is limited to the affected Liferay Portal and DXP versions. No known exploits have been reported in the wild, and no official patches have been linked yet. The flaw is significant in environments where sensitive content is managed via the Menu Display Widget, especially in enterprise portals and government websites that rely on Liferay for content management and collaboration.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive or confidential information hosted on Liferay Portal instances. This could include internal documents, user data, or proprietary content that should be restricted. Exposure of such information can lead to reputational damage, regulatory non-compliance (e.g., GDPR violations), and potential competitive disadvantage. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that use Liferay Portal for intranet or extranet services are particularly vulnerable. The medium severity rating indicates a moderate risk, but the lack of required authentication and the network accessibility increase the urgency to address the issue. Although no active exploitation is reported, attackers could leverage this flaw to gather intelligence or conduct further attacks. The impact on availability is negligible, but confidentiality breaches could have long-term consequences.

European organizations should immediately conduct a thorough audit of permission settings related to the Menu Display Widget in their Liferay Portal deployments. Restrict access to sensitive content by enforcing the principle of least privilege and reviewing user roles and permissions. Temporarily disable or remove the Menu Display Widget from public or untrusted-facing portals until an official patch is released. Implement strict monitoring and logging of access to the widget and related content to detect anomalous access patterns. Network segmentation and web application firewalls (WAFs) can be configured to limit exposure of the vulnerable components. Engage with Liferay support or vendor channels to obtain patches or workarounds as soon as they become available. Educate administrators and content managers about the vulnerability and the importance of access control hygiene. Finally, prepare incident response plans in case unauthorized data disclosure is detected.