CVE-2025-43773 – This vulnerability in Liferay Portal and DXP al... (How to Fix)

Q: What is the severity of CVE-2025-43773?

CVE-2025-43773 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Liferay Portal and DXP allows improper access through the expandoTableLocalService, potentially enabling unauthorized data access or manipulation. It affects Liferay Portal 7.4.0-7.4.3.132 and multiple DXP versions from 7.4 GA through 2025.Q2.0. Organizations running these versions are at risk.

📋 TL;DR

This vulnerability in Liferay Portal and DXP allows improper access through the expandoTableLocalService, potentially enabling unauthorized data access or manipulation. It affects Liferay Portal 7.4.0-7.4.3.132 and multiple DXP versions from 7.4 GA through 2025.Q2.0. Organizations running these versions are at risk.

💻 Affected Systems

Products:

Liferay Portal
Liferay DXP

Versions: Liferay Portal 7.4.0 through 7.4.3.132; Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92

Operating Systems: All platforms running affected Liferay versions

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within the affected version ranges are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing unauthorized access to sensitive data, privilege escalation, or remote code execution.

🟠

Likely Case

Unauthorized data access or manipulation through the vulnerable service, potentially exposing sensitive information.

🟢

If Mitigated

Limited impact if proper access controls and network segmentation are implemented, though vulnerability remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the expandoTableLocalService interface, which may require some authentication level.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Liferay Portal 7.4.3.133+, Liferay DXP 2025.Q2.1+, 2025.Q1.15+, 2024.Q4.8+, 2024.Q3.14+, 2024.Q2.14+, 2024.Q1.19+, 7.4 update 93+

Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43773

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Liferay's customer portal. 2. Apply the patch following Liferay's patch installation guide. 3. Restart the Liferay instance. 4. Verify the patch was applied successfully.

🔧 Temporary Workarounds

Restrict access to expandoTableLocalService

all

Implement access controls to limit who can access the vulnerable service interface.

Network segmentation

all

Isolate Liferay instances from untrusted networks and implement strict firewall rules.

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Monitor for suspicious activity targeting the expandoTableLocalService

🔍 How to Verify

Check if Vulnerable:

Check Liferay version in Control Panel → Configuration → Server Administration → System Information

Check Version:

Check Liferay build number in Control Panel or via server logs

Verify Fix Applied:

Verify version is updated to patched version and check for absence of vulnerability indicators in logs

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to expandoTableLocalService
Unauthorized data access attempts
Privilege escalation attempts

Network Indicators:

Unusual API calls to expando-related endpoints
Suspicious data exfiltration patterns

SIEM Query:

source="liferay" AND (expandoTableLocalService OR CVE-2025-43773)

📊 Metadata

CVE ID: CVE-2025-43773

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-862

EPSS Score: 0.05% exploit probability (13.5th percentile)

Published: August 29, 2025

Last Updated: December 16, 2025

🔗 References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43773 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43773, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Liferay Portal by Liferay

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict access to expandoTableLocalService

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities