CVE-2025-43751
📋 TL;DR
This vulnerability allows remote attackers to determine if user accounts exist in Liferay Portal/DXP by exploiting the create account page. Attackers can enumerate valid usernames, which is the first step in credential-based attacks. All Liferay Portal 7.4.0-7.4.3.132 and Liferay DXP versions from 7.4 GA through 2024.Q4.7 are affected.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers build a complete list of valid usernames, then conduct targeted password attacks leading to account compromise and potential data breaches.
Likely Case
Attackers enumerate some valid usernames and use them for phishing, credential stuffing, or social engineering attacks.
If Mitigated
Attackers can still identify account existence but cannot proceed further due to strong authentication controls and monitoring.
🎯 Exploit Status
Exploitation requires no authentication and involves simple HTTP requests to the create account page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.133+; Liferay DXP 2024.Q4.8+, 2024.Q3.14+, 2024.Q2.14+, 2024.Q1.15+, 2023.Q4.11+, 2023.Q3.11+, 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43751
Restart Required: No
Instructions:
1. Download the appropriate fix pack from Liferay's customer portal. 2. Apply the fix pack following Liferay's deployment guide. 3. Verify the patch is applied by checking version numbers.
🔧 Temporary Workarounds
Rate Limiting on Create Account Endpoint
allImplement rate limiting on the create account page to slow down enumeration attempts.
Configure web application firewall or load balancer to limit requests to /c/portal/create_account
CAPTCHA Implementation
allAdd CAPTCHA to the create account page to prevent automated enumeration.
Implement Liferay's CAPTCHA configuration or third-party CAPTCHA service
🧯 If You Can't Patch
- Implement network-level controls to restrict access to create account page from untrusted networks
- Enable detailed logging and monitoring for create account page access patterns
🔍 How to Verify
Check if Vulnerable:
Test if submitting different usernames to the create account page returns different error messages indicating account existence.Check Version:
Check Liferay Control Panel → Server Administration → Properties → liferay.home/build.properties for version infoVerify Fix Applied:
After patching, verify that create account page returns consistent responses regardless of username existence.📡 Detection & Monitoring
Log Indicators:
- Multiple failed create account attempts with different usernames from same IP
- Unusual patterns of /c/portal/create_account requests
Network Indicators:
- High volume of POST requests to create account endpoint
- Sequential username attempts from single source
SIEM Query:
source="liferay.log" AND (uri_path="/c/portal/create_account" AND status=400) | stats count by src_ip, user_agent