CVE-2025-13734 is a vulnerability classified under CWE-862 (Missing Authorization) affecting IBM Engineering Requirements Management DOORS Next versions 7.1 and 7.2. This vulnerability allows an authenticated user to bypass authorization controls, enabling them to view and modify data beyond their assigned permissions. The flaw arises from insufficient enforcement of access control policies within the application, which is used for managing engineering requirements in complex projects, often in regulated industries such as aerospace, automotive, and defense. The vulnerability can be exploited remotely over the network without user interaction, provided the attacker has valid credentials with limited privileges. The CVSS v3.1 base score is 5.4, reflecting a medium severity due to the requirement for authentication and the limited scope of impact (confidentiality and integrity only, no availability impact). The vulnerability does not require complex attack techniques, making it relatively straightforward to exploit once credentials are obtained. No public exploits or patches have been reported at the time of publication, indicating that organizations should proactively assess their exposure and implement compensating controls. The missing authorization could lead to unauthorized disclosure and modification of sensitive requirements data, potentially undermining project integrity and compliance.

The primary impact of CVE-2025-13734 is on the confidentiality and integrity of sensitive engineering requirements data managed by IBM DOORS Next. Unauthorized viewing and editing of requirements can lead to leakage of proprietary or classified information, manipulation of project specifications, and potential downstream effects on product safety, compliance, and quality. This can be particularly damaging in industries where requirements traceability and accuracy are critical, such as aerospace, defense, automotive, and medical devices. Although availability is not affected, the trustworthiness of the data is compromised, which can delay projects, increase costs, and expose organizations to regulatory and reputational risks. Attackers with limited privileges can escalate their access within the application, potentially leading to insider threat scenarios or lateral movement within the enterprise environment. The lack of known exploits reduces immediate risk, but the medium severity score and the nature of the vulnerability warrant timely mitigation to prevent exploitation.

Organizations should implement the following specific mitigations: 1) Immediately audit user roles and permissions within IBM DOORS Next 7.1 and 7.2 to ensure the principle of least privilege is enforced, removing unnecessary access rights. 2) Monitor application logs for unusual access patterns or unauthorized data modifications indicative of exploitation attempts. 3) Restrict network access to the DOORS Next application to trusted users and networks using network segmentation and access control lists. 4) Employ multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. 5) Engage with IBM support to obtain any available patches or workarounds and apply them promptly once released. 6) Consider implementing additional application-layer access controls or data loss prevention (DLP) solutions to detect and prevent unauthorized data access or changes. 7) Train users on secure credential management and awareness of privilege misuse risks. These targeted actions go beyond generic advice by focusing on access control tightening, monitoring, and layered defenses specific to the affected product and vulnerability characteristics.