CVE-2025-43754: 
Java vulnerability analysis and mitigation

A username enumeration vulnerability was discovered in Liferay Portal and DXP platforms (CVE-2025-43754), disclosed on August 21, 2025. The vulnerability affects multiple versions including Liferay Portal 7.4.0 through 7.4.3.132, and various Liferay DXP versions from 2024.Q1.1 through 2024.Q4.7, as well as DXP 7.4 GA through update 92 (Liferay Advisory).

The vulnerability allows attackers to determine if an account exists in the application by inspecting the server processing time of the login request. This timing-based vulnerability is classified as CWE-208 (Observable Timing Discrepancy). The vulnerability has received a CVSS v4.0 Base Score of 6.9 (Medium) with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, indicating it is network-accessible, requires low attack complexity, and needs no privileges or user interaction (NVD).

The vulnerability allows malicious actors to enumerate valid usernames within the Liferay system by analyzing timing differences in server responses. This information disclosure could be used as a stepping stone for further attacks such as brute force attempts or targeted phishing campaigns (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay DXP 2024.Q1.15, DXP 2025.Q1.0, or DXP 2025.Q2.0 to remediate the issue (Liferay Advisory).