Liferay DXP, Authentication Bypass, CVE-2025-XXXX (Low)

Listen to this Post

The vulnerability exists in the TOTP (Time-based One-Time Password) authentication module of Liferay DXP. The flaw allows for a replay attack where a single TOTP token, generated for multi-factor authentication, can be used more than once within its typical short validity window (e.g., 30 seconds). Normally, the system should mark a used token as invalid to prevent immediate reuse. However, due to a missing state-tracking mechanism or an improper validation check in the authentication logic, the system fails to invalidate the token after its first successful use. This means an attacker who intercepts or observes a valid TOTP code can reuse it to complete the 2FA process and gain unauthorized access to the victim’s account until the token naturally expires.
Platform: Liferay DXP
Version: < 2.0.25
Vulnerability: TOTP Replay
Severity: Low

date: 2025-09-15

Prediction: Patch available

What Undercode Say:

`curl -s “https://api.github.com/advisories?query=Liferay+TOTP” | jq ‘.[] | select(.severity==”low”)’`

`nmap -p 80,443 –script http-vuln-cve2025xxxx `

How Exploit:

Intercept valid TOTP token and replay it within the validity period.

Protection from this CVE:

Upgrade to version 2.0.25.

Impact:

Authentication Bypass, Account Takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top