CVE-2025-3594
📋 TL;DR
A path traversal vulnerability in Liferay Portal and DXP allows remote attackers to write arbitrary files to server locations and download/execute arbitrary files from a download server. This affects Liferay Portal 7.0.0 through 7.4.3.4 and Liferay DXP 7.4 GA, 7.3 GA through update 34, plus older unsupported versions.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, data theft, and complete system control.
Likely Case
Arbitrary file upload leading to web shell deployment and subsequent lateral movement.
If Mitigated
Limited impact if proper input validation and file system permissions are enforced.
🎯 Exploit Status
Exploitation appears straightforward via parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Portal 7.4.3.5+, DXP 7.4 update 1+, 7.3 update 35+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3594
Restart Required: Yes
Instructions:
1. Download appropriate patch from Liferay customer portal. 2. Apply patch following Liferay's patching guide. 3. Restart Liferay instance.
🔧 Temporary Workarounds
Disable Xuggler download endpoint
allBlock access to the vulnerable Xuggler download functionality
Configure web server (Apache/Nginx) to block requests containing '_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName' parameter
🧯 If You Can't Patch
- Implement strict input validation for all file path parameters
- Apply principle of least privilege to file system permissions
🔍 How to Verify
Check if Vulnerable:
Check Liferay version against affected ranges and verify Xuggler functionality is accessibleCheck Version:
Check liferay-portal.xml or use Liferay's admin consoleVerify Fix Applied:
Confirm version is patched (Portal >=7.4.3.5, DXP >=7.4 update 1 or 7.3 update 35) and test parameter manipulation📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations
- Requests with '_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName' containing path traversal sequences
Network Indicators:
- HTTP requests to Xuggler download endpoints with suspicious parameters
SIEM Query:
web.url:*jarName* AND (web.url:*../* OR web.url:*..\*)