How to fix EUVD-2025-18408?

Within 24 hours: Identify all Liferay Portal and DXP instances in your environment and document their versions; disable or restrict access to the Server Admin portlet if possible; implement WAF rules to block malicious requests to the vulnerable parameter. Within 7 days: Apply network segmentation to limit lateral movement if compromise occurs; conduct log analysis for exploitation attempts; prepare communication plan for potential incident notification. Within 30 days: Upgrade to patched versions when available from vendor; if upgrade impossible, implement compensating controls and schedule emergency maintenance window.

Is Liferay Portal affected by EUVD-2025-18408?

A critical remote code execution vulnerability in Liferay Portal and DXP versions 7.0-7.4.3.4 allows unauthenticated attackers to upload malicious files and execute arbitrary code on affected servers.

EUVD-2025-18408

| CVE-2025-3594 CRITICAL

2025-06-16 [email protected]

GHSA-p73j-gpcq-49h8

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18408

CVE Published

Jun 16, 2025 - 15:15 nvd

CRITICAL 9.8

Description

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName` parameter.

Analysis

A path traversal vulnerability in Liferay Portal 7.0.0 (CVSS 9.8) that allows remote attackers. Critical severity with potential for significant impact on affected systems.

Technical Context

CWE-22 (Path Traversal). CVSS 9.8 indicates critical severity with likely remote exploitation vector. Affects Liferay Portal 7.0.0.

Affected Products

['Liferay Portal 7.0.0']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.5

CVSS: +49

POC: 0

EUVD-2025-18408 vulnerability details – vuln.today

Back

EUVD-2025-18408

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-18408

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code