CVE-2025-62257: 
Java vulnerability analysis and mitigation

A password enumeration vulnerability was discovered in Liferay Portal and DXP systems, identified as CVE-2025-62257. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.119 and older unsupported versions, as well as Liferay DXP versions including 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, and 2023.Q3.1 through 2023.Q3.10. The vulnerability was disclosed on October 29, 2025 (NVD, Liferay).

The vulnerability is classified with a CVSS v4.0 base score of 6.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The issue is related to improper restriction of excessive authentication attempts (CWE-307), where the account lockout mechanism fails to prevent password enumeration through brute force attacks (NVD).

The vulnerability allows remote attackers to determine a user's password through brute force attacks, even when account lockout mechanisms are enabled. This compromises the security of user accounts by potentially exposing valid credentials to unauthorized parties (Liferay).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal version 7.4.3.120 or Liferay DXP versions 2024.Q4.0, 2024.Q3.0, 2024.Q2.0, or 2024.Q1.6 (Liferay).