CVE-2025-2139 in Engineering Requirements Management Doors Next
Summary
by MITRE • 10/12/2025
IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to delete reviews from other users due to client-side enforcement of server-side security.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/17/2025
IBM Engineering Requirements Management Doors Next versions 7.0.2, 7.0.3, and 7.1 contain a critical authorization flaw that enables authenticated network users to delete reviews submitted by other users. This vulnerability stems from improper security enforcement where client-side validation mechanisms fail to properly verify user permissions before executing deletion operations. The flaw represents a significant bypass of intended access controls, allowing malicious or compromised users to manipulate review content across the system. The vulnerability manifests when users with valid authentication credentials attempt to delete reviews without proper authorization, exploiting a weakness in the security model that should enforce strict ownership and permission checks. This issue directly violates the principle of least privilege and demonstrates a failure in implementing proper access control mechanisms. The vulnerability is classified under CWE-285 which addresses improper authorization in software systems, specifically targeting scenarios where insufficient access control validation allows unauthorized actions. From an operational perspective, this flaw creates substantial risks for organizations relying on review integrity within their requirements management processes. The ability to delete other users' reviews compromises the audit trail and can lead to data loss, manipulation of requirements validation processes, and potential disruption of development workflows. Attackers could exploit this vulnerability to remove evidence of review comments, alter decision-making processes, or undermine the credibility of the requirements management system. The security implications extend beyond simple data deletion as it represents a broader failure in the system's security architecture that could potentially expose other sensitive operations to similar manipulation. Organizations using these specific versions of IBM Doors Next face significant operational risks including compromised data integrity, potential regulatory compliance issues, and disruption of collaborative requirements management processes. The vulnerability's impact is amplified by the fact that it requires only network authentication, making it accessible to users who have gained access to the system through legitimate means but lack proper authorization. This scenario aligns with ATT&CK technique T1078 which covers valid accounts as a means of gaining access to systems. The flaw demonstrates poor defense in depth principles where client-side enforcement should not be sufficient to prevent destructive operations without proper server-side validation. Organizations should immediately implement mitigations including immediate patching of affected versions, strengthening of access controls, and enhanced monitoring of review deletion activities. Additional security measures should include implementing proper logging and alerting for review modification operations, conducting thorough access control reviews, and ensuring that all client-server communications include proper authentication and authorization checks. The vulnerability underscores the critical importance of server-side validation in security-critical operations and highlights the dangers of relying solely on client-side enforcement mechanisms for protecting sensitive data operations.