Liferay Portal/DPX Remote API Access Before Initial Password Change
CVE-2025-43799 Published on September 15, 2025
Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API.
Weakness Type
Products Associated with CVE-2025-43799
stack.watch emails you whenever new vulnerabilities are published in Liferay Portal or Liferay Digital Experience Platform. Just hit a watch button to start following.
Affected Versions
Liferay Portal:- Version 7.4.0, <= 7.4.3.111 is affected.
- Version 7.3.10, <= 7.3.10-u35 is affected.
- Version 7.4.13, <= 7.4.13-u92 is affected.
- Version 2023.Q3.1, <= 2023.Q3.4 is affected.
- Version 2023.Q4.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.