CVE-2025-43792: 
Java vulnerability analysis and mitigation

CVE-2025-43792 is a security vulnerability discovered in Liferay Portal and DXP systems, disclosed on September 15, 2025. The vulnerability affects multiple versions including Liferay Portal 7.4.0 through 7.4.3.105 and older unsupported versions, as well as Liferay DXP versions including 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 (NVD, Liferay Advisory).

The vulnerability stems from improper handling of remote address validation in the staging functionality. The issue is related to CWE-15 (External Control of System or Configuration Setting) and has been assigned a CVSS v4.0 score of 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (NVD).

The vulnerability allows remote authenticated users to exfiltrate data to an attacker-controlled server by manipulating the comliferayexportimportwebportletExportImportPortletremoteAddress and comliferayexportimportwebportletExportImportPortletremotePort parameters. However, successful exploitation requires the attacker to obtain the staging server's shared secret and add their controlled server to the staging server's whitelist (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal 7.4.3.106, Liferay DXP 2024.Q1.1, DXP 2023.Q4.1, DXP 2023.Q3.5, or DXP 7.3 U36 as appropriate for their deployment (Liferay Advisory).