CVE-2025-43754
📋 TL;DR
This CVE describes a username enumeration vulnerability in Liferay Portal and DXP where attackers can determine if user accounts exist by analyzing server response times during login attempts. This affects Liferay Portal 7.4.0-7.4.3.132 and multiple DXP versions from 7.4 GA through 2024.Q4.7. The vulnerability allows attackers to gather valid usernames for potential credential attacks.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate all valid usernames in the system, enabling targeted brute-force attacks, credential stuffing, or social engineering campaigns against identified users.
Likely Case
Attackers will gather a list of valid usernames to use in subsequent credential-based attacks, increasing the success rate of password guessing or credential stuffing attempts.
If Mitigated
With proper monitoring and rate limiting, the impact is limited to potential username discovery without enabling account compromise.
🎯 Exploit Status
Exploitation requires timing analysis tools but no authentication. Attackers can automate username enumeration through login attempts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.133+, Liferay DXP 2024.Q4.8+, 2024.Q3.14+, 2024.Q2.14+, 2024.Q1.15+, 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43754
Restart Required: No
Instructions:
1. Download the appropriate fix pack from Liferay's customer portal. 2. Apply the fix pack according to Liferay's deployment documentation. 3. Verify the patch is applied by checking version numbers.
🔧 Temporary Workarounds
Implement Rate Limiting
allConfigure rate limiting on login endpoints to prevent automated username enumeration attempts.
Configure via web server (nginx/apache) or application firewall rules
Enable CAPTCHA
allImplement CAPTCHA on login forms to prevent automated login attempts.
Configure via Liferay's Control Panel > Configuration > Instance Settings > Authentication
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block timing-based enumeration patterns
- Enable comprehensive logging and monitoring for unusual login attempt patterns
🔍 How to Verify
Check if Vulnerable:
Check your Liferay version against affected ranges. Test login response times for valid vs invalid usernames (response time differences indicate vulnerability).Check Version:
Check Liferay Control Panel > Server Administration > Properties, or examine liferay-portal.xml version informationVerify Fix Applied:
After patching, test that login attempts return consistent response times regardless of username validity.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with different usernames from same source
- Unusual patterns of login attempts with consistent timing intervals
Network Indicators:
- High volume of POST requests to login endpoints
- Requests with systematically varied username parameters
SIEM Query:
source_ip: * AND destination_port: 80 OR 443 AND http_method: POST AND uri_path: "/c/portal/login" AND count by source_ip > threshold