CVE-2025-3586
📋 TL;DR
This vulnerability allows authenticated admin users with Instance Administrator role to execute arbitrary Groovy scripts through Object actions in Liferay Portal/DXP, leading to remote code execution. It affects Liferay Portal 7.4.3.27-7.4.3.42 and multiple Liferay DXP versions. Liferay SaaS deployments are not affected as they already restrict Groovy script usage.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an authenticated admin attacker gains complete control over the server, can execute arbitrary commands, access sensitive data, and pivot to other systems.
Likely Case
Privileged admin user exploits the vulnerability to execute arbitrary code, potentially installing backdoors, stealing data, or disrupting services.
If Mitigated
Limited impact if proper access controls restrict admin privileges and monitoring detects unusual Groovy script execution.
🎯 Exploit Status
Exploitation requires authenticated admin access. The vulnerability is in the Objects module's handling of Groovy scripts in Object actions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay DXP 2024.Q2 and later with Groovy restriction enabled in Instance Settings
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3586
Restart Required: Yes
Instructions:
1. Upgrade to Liferay DXP 2024.Q2 or later. 2. In Instance Settings, disable Groovy script usage in Object actions. 3. Restart the Liferay instance.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit Instance Administrator role to only trusted users and implement strict access controls.
Disable Objects Module
allTemporarily disable the Objects module if not required for business operations.
🧯 If You Can't Patch
- Implement strict monitoring of admin user activities and Groovy script execution
- Apply network segmentation to limit Liferay server access and reduce attack surface
🔍 How to Verify
Check if Vulnerable:
Check Liferay version in Control Panel → Configuration → Server Administration → System InformationCheck Version:
Check via Control Panel or examine liferay-portal.xml version propertyVerify Fix Applied:
Verify version is 2024.Q2+ and Groovy restriction is enabled in Instance Settings → Objects → Scripting📡 Detection & Monitoring
Log Indicators:
- Unusual Groovy script execution in Object actions
- Admin user performing unexpected Object actions
- System command execution from Liferay processes
Network Indicators:
- Outbound connections from Liferay server to unexpected destinations
- Unusual network traffic patterns from Liferay server
SIEM Query:
source="liferay" AND (message="*Groovy*" OR message="*ObjectAction*" OR message="*script*execution*")