CrowdSec
10/10CrowdSec Score

Portal - Open Redirect (CVE-2024-25608)

Published on20-02-2024
First seen on14-01-2026
Public ExploitCVSS 6.1/10Liferay - PortalLiferay - DXP

27Exploiting IPs reported

HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.

CrowdSec analysis

CVE-2024-25608 is a vulnerability in Liferay Portal and DXP that allows remote attackers to bypass URL redirection protections by exploiting the 'REPLACEMENT CHARACTER' (U+FFFD). By manipulating parameters such as 'redirect', 'FORWARD_URL', and others, attackers can redirect users to arbitrary external sites, potentially facilitating phishing attacks or malicious site redirections.

CrowdSec has been tracking this vulnerability and its exploits since 7th of January 2026.

Data from the CrowdSec community indicates that exploitation of CVE-2024-25608 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2024-25608 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2024-25608 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit open redirect vulnerabilities by sending requests to endpoints like /html/common/forward_jsp.jsp with parameters such as FORWARD_URL containing crafted external URLs, often using special characters (e.g., U+FFFD) to bypass filters and redirect users to malicious sites.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Common Weakness Enumeration (CWE)

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References