What is the CVSS score of EUVD-2025-18408?

EUVD-2025-18408 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of Liferay Portal are affected by EUVD-2025-18408?

A critical remote code execution vulnerability in Liferay Portal and DXP versions 7.0-7.4.3.4 allows unauthenticated attackers to upload malicious files and execute arbitrary code on affected…. A patch is available.

How to fix or mitigate EUVD-2025-18408?

Within 24 hours: Identify all Liferay Portal and DXP instances in your environment and document their versions; disable or restrict access to the Server Admin portlet if possible; implement WAF rules to block malicious requests to the vulnerable parameter. Within 7 days: Apply network segmentation to limit lateral movement if compromise occurs; conduct log analysis for exploitation attempts; prepare communication plan for potential incident notification. Within 30 days: Upgrade to patched versions when available from vendor; if upgrade impossible, implement compensating controls and schedule emergency maintenance window.

Liferay Portal EUVD-2025-18408

| CVE-2025-3594 CRITICAL

Path Traversal (CWE-22)

2025-06-16 security@liferay.com

GHSA-p73j-gpcq-49h8

Path Traversal Liferay Portal Digital Experience Platform

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18408

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

CVE Published

Jun 16, 2025 - 15:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the _com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName parameter.

AnalysisAI

A path traversal vulnerability in Liferay Portal 7.0.0 (CVSS 9.8) that allows remote attackers. Critical severity with potential for significant impact on affected systems.

Technical ContextAI

CWE-22 (Path Traversal). CVSS 9.8 indicates critical severity with likely remote exploitation vector. Affects Liferay Portal 7.0.0.

RemediationAI

Monitor vendor channels for patch availability.

EUVD-2025-18408 vulnerability details – vuln.today

Back

Liferay Portal EUVD-2025-18408

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code