Cyber Resilience

CVE-2025-43766

Medium

Published: 23 August 2025

Published
23 August 2025
Modified
12 December 2025
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 54.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43766 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Liferay Digital Experience Platform. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-43766 is an unrestricted file upload vulnerability in the style books component of Liferay Portal versions 7.4.0 through 7.3.3.131, as well as Liferay DXP versions 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92. The issue allows attackers to upload files that are processed within the environment, resulting in arbitrary code execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables full arbitrary code execution on the affected Liferay instance, potentially compromising confidentiality, integrity, and availability with high impact.

The official Liferay security advisory provides details on mitigation and patches at https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43766. Security practitioners should consult this reference for upgrade paths and remediation steps specific to affected versions.

EU & UK References

Vulnerability details

The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within…

more

the environment enabling arbitrary code execution by attackers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing Liferay web app directly enables remote unauthenticated exploitation (T1190) resulting in arbitrary code execution via deployed web shell (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-43813Same product: Liferay Digital Experience Platform
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434

Affected Assets

liferay
digital experience platform
2024.q4.0, 7.4 · 2024.Q1.1 — 2024.Q1.14 · 2024.q2.0 — 2024.q2.13 · 2024.q3.1 — 2024.q3.13
liferay
liferay portal
7.4.0 — 7.4.3.132

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the unrestricted file upload flaw through vendor patches, directly preventing arbitrary code execution in Liferay's style books component.

prevent

Mandates validation of uploaded files to block dangerous types from being processed within the environment, addressing the core unrestricted upload vulnerability.

preventdetect

Deploys malicious code protection at system entry points to scan and eradicate uploaded files containing executable code before processing.

References