CVE-2025-62250: 
Java vulnerability analysis and mitigation

A critical authentication vulnerability (CVE-2025-62250) was discovered in Liferay Portal and DXP systems. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.132 and various Liferay DXP versions including 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35. The issue was disclosed on May 8, 2025, and involves improper authentication mechanisms that could allow remote attackers to exploit cluster message functionality (Liferay Advisory).

The vulnerability stems from an improper authentication mechanism in Liferay's cluster messaging system. The flaw allows remote attackers to send unauthenticated cluster messages that the system incorrectly treats as trusted data. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N, indicating network accessibility with low attack complexity and no authentication requirements (Liferay Advisory).

The vulnerability allows attackers to inject malicious data into the system through cluster messages, which will be processed as trusted information. This could potentially lead to unauthorized data manipulation and system compromise, though the impact is rated as Low for both Confidentiality and Integrity aspects, with no impact on Availability (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal's fixed master branch version, Liferay DXP 2024.Q1.1, DXP 2023.Q4.1, DXP 2023.Q3.5, or DXP 7.3 update 36. These versions include patches that properly validate cluster messages and prevent unauthorized data injection (Liferay Advisory).