CVE-2025-43799
📋 TL;DR
This vulnerability allows remote users to access and edit content via APIs before changing their initial password in affected Liferay versions. It affects Liferay Portal 7.4.0 through 7.4.3.111 and older unsupported versions, plus Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35. Attackers can exploit this to modify content without proper authentication.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain full API access to create, modify, or delete sensitive content, potentially leading to data breaches, content manipulation, or privilege escalation.
Likely Case
Attackers access and edit portal content via API endpoints, compromising data integrity and potentially exposing sensitive information.
If Mitigated
With proper access controls and monitoring, impact is limited to attempted unauthorized access that can be detected and blocked.
🎯 Exploit Status
Requires knowledge of user accounts with unchanged initial passwords. Exploitation involves API calls to access/edit content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.112 or later; Liferay DXP 2023.Q4.1 or later, 2023.Q3.5 or later, 7.4 update 93 or later, 7.3 update 36 or later
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43799
Restart Required: No
Instructions:
1. Download the appropriate patch from Liferay's customer portal. 2. Apply the patch according to Liferay's patching documentation. 3. Verify the fix by testing API access with unchanged initial passwords.
🔧 Temporary Workarounds
Force Password Change on First Login
allConfigure Liferay to require password change on initial login to prevent API access before password change.
Configure in Control Panel > Password Policies > Add Policy with 'Change Required on First Login' enabled
Restrict API Access
allImplement network-level restrictions to limit API access to trusted IPs only.
Use firewall rules to restrict access to Liferay API endpoints (e.g., /api/*) from untrusted networks
🧯 If You Can't Patch
- Enforce mandatory password changes for all users immediately and monitor for compliance.
- Implement API rate limiting and monitor for unusual API activity from accounts with recent password changes.
🔍 How to Verify
Check if Vulnerable:
Test if API endpoints are accessible using a user account that hasn't changed its initial password. Attempt to access content via /api/jsonws or similar endpoints.Check Version:
Check Liferay version via Control Panel > Server Administration > Properties, or review liferay-home/portal-ext.propertiesVerify Fix Applied:
After patching, verify that API access is denied for users who haven't changed their initial password. Test with the same vulnerable configuration.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful API calls from same IP
- API access logs showing requests from users with recent password change timestamps
Network Indicators:
- Unusual API request patterns, especially POST/PUT requests to content endpoints from new sessions
SIEM Query:
source="liferay.log" AND (message="API access" OR message="/api/") AND user="*" AND event_type="authentication" AND password_change="false"