CVE-2025-62252 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Liferay Portal 7.4.0 through 7.4.3.111 and multiple Liferay DXP versions including 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92. The vulnerability arises from an Insecure Direct Object Reference (IDOR) flaw where remote authenticated users can manipulate the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter to assign an organization to a user belonging to a different virtual instance. Liferay Portal supports multi-tenancy via virtual instances, which are intended to isolate organizational data and user management. This flaw breaks that isolation, allowing cross-instance modifications that should be prohibited. The vulnerability does not require user interaction and can be exploited remotely with low attack complexity and no additional privileges beyond authentication. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low complexity, no user interaction, and limited impact on integrity (VI:L) but no impact on confidentiality or availability. Although no public exploits are known, the vulnerability could be leveraged by malicious insiders or attackers who have gained authenticated access to escalate privileges or manipulate organizational structures across virtual instances. The lack of patch links suggests that fixes may be pending or distributed through vendor channels. Organizations using affected Liferay versions should consider this a medium-severity risk due to the potential for unauthorized administrative actions and data integrity compromise across tenant boundaries.

For European organizations, this vulnerability poses a risk primarily to those using Liferay Portal or Liferay DXP in multi-tenant environments where virtual instances separate organizational data. Exploitation could lead to unauthorized assignment of users to organizations outside their intended virtual instance, potentially enabling privilege escalation, unauthorized access to resources, or manipulation of organizational data. This can undermine data integrity and trust boundaries within the portal, affecting compliance with data protection regulations such as GDPR if user data is improperly accessed or modified. The impact is heightened in sectors relying on strict tenant isolation, such as government, finance, healthcare, and large enterprises with multiple subsidiaries or departments using shared Liferay infrastructure. Although the vulnerability does not directly expose confidential data or cause denial of service, the cross-instance authorization bypass could facilitate further attacks or insider threats. Given the medium CVSS score and the requirement for authenticated access, the threat is moderate but significant in environments with many users and complex organizational structures. The absence of known exploits reduces immediate risk but does not eliminate the need for proactive mitigation.

European organizations should implement the following specific mitigations: 1) Immediately verify the Liferay Portal and DXP versions in use and prioritize upgrading to patched versions once available from Liferay. 2) Restrict and audit administrative and user management privileges to minimize the number of users with rights to assign organizations or modify user memberships. 3) Implement strict access controls and monitoring on the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter usage, including logging and anomaly detection for cross-instance assignments. 4) Conduct regular reviews of virtual instance configurations and user assignments to detect unauthorized changes. 5) Employ network segmentation and multi-factor authentication to reduce the risk of unauthorized authenticated access. 6) Engage with Liferay support or security advisories to obtain patches or workarounds if official fixes are delayed. 7) Educate administrators about the risks of cross-instance user assignments and enforce policies to prevent misuse. 8) Consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious parameter manipulation related to this vulnerability. These steps go beyond generic advice by focusing on tenant isolation enforcement, privileged access management, and proactive monitoring specific to Liferay's multi-tenant architecture.