CVE-2025-4604
📋 TL;DR
This vulnerability allows attackers to bypass CAPTCHA verification in Liferay Portal/DXP, enabling them to execute arbitrary scripts in the Gogo shell. Affected systems include Liferay Portal 7.4.3.80-7.4.3.132 and multiple Liferay DXP versions from 2024.Q1.1 through 2025.Q1.15.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain remote code execution capabilities, potentially compromising the entire Liferay instance and underlying server.
Likely Case
Unauthorized script execution leading to data theft, privilege escalation, or system manipulation.
If Mitigated
Limited impact if Gogo shell access is restricted or monitored, though CAPTCHA bypass remains possible.
🎯 Exploit Status
Requires CAPTCHA bypass followed by Gogo shell access; no public exploit available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.133+, Liferay DXP 2024.Q1.20+, 2024.Q2.14+, 2024.Q3.14+, 2024.Q4.8+, 2025.Q1.16+, 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4604
Restart Required: No
Instructions:
1. Download the appropriate fix pack from Liferay's customer portal. 2. Apply the fix pack following Liferay's deployment guide. 3. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Disable Gogo Shell
allPrevent script execution by disabling the Gogo shell component.
Set 'gogo.shell.enabled=false' in portal-ext.properties
Restrict CAPTCHA Access
allImplement network-level restrictions to CAPTCHA endpoints.
Configure firewall/WAF rules to limit access to CAPTCHA-related URLs
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Liferay instances
- Enable detailed logging and monitoring for CAPTCHA bypass attempts and Gogo shell usage
🔍 How to Verify
Check if Vulnerable:
Check Liferay version via Control Panel → Configuration → Server Administration → System InformationCheck Version:
Check portal.properties or use Liferay's System Information pageVerify Fix Applied:
Verify version is updated to patched version and test CAPTCHA functionality📡 Detection & Monitoring
Log Indicators:
- Unusual CAPTCHA validation failures
- Gogo shell command execution logs
- Authentication bypass attempts
Network Indicators:
- Unexpected requests to CAPTCHA endpoints
- Suspicious script execution patterns
SIEM Query:
source="liferay" AND (event="CAPTCHA_FAILURE" OR event="GOGO_SHELL_EXECUTION")