CVE-2025-2138 identifies a security vulnerability in IBM Engineering Requirements Management Doors Next versions 7.0.2, 7.0.3, and 7.1. The core issue is the improper enforcement of security controls on the client side instead of the server side, categorized under CWE-602 (Client-Side Enforcement of Server-Side Security). This design flaw allows an authenticated user within the network to bypass intended restrictions and delete comments made by other users. Since the enforcement is client-side, a malicious user can manipulate client requests or the client application to perform unauthorized actions that the server should prevent. The vulnerability requires the attacker to have legitimate network access and authenticated privileges, but no additional user interaction is needed. The CVSS v3.1 base score is 3.5, indicating a low severity primarily due to the limited impact on integrity and the requirement for authentication. There is no impact on confidentiality or availability. No public exploits have been reported, and no patches are currently linked, suggesting that remediation may be pending or in development. This vulnerability could undermine the integrity of collaborative requirements documentation, potentially causing confusion or miscommunication in engineering projects.

For European organizations, especially those in sectors like aerospace, automotive, and industrial engineering that rely heavily on IBM Engineering Requirements Management Doors Next for requirements traceability and collaboration, this vulnerability poses a risk to data integrity. Unauthorized deletion of comments can disrupt project workflows, cause loss of critical feedback, and introduce errors in requirements management. Although the confidentiality and availability of the system remain unaffected, the integrity compromise can lead to misinformed decisions or delays in product development cycles. The requirement for authenticated access limits exposure to internal or trusted network users, but insider threats or compromised credentials could be exploited. The impact is more pronounced in organizations with distributed teams relying on comment histories for audit trails and regulatory compliance. Given the low CVSS score and lack of known exploits, the immediate risk is moderate but should not be ignored in high-assurance environments.

Organizations should implement strict access controls and least privilege principles to limit which users can modify or delete comments within IBM Doors Next. Monitoring and logging of comment deletions should be enabled to detect suspicious activity promptly. Network segmentation and strong authentication mechanisms can reduce the risk of unauthorized access. Until IBM releases a patch or update that enforces security server-side, administrators should consider additional compensating controls such as disabling comment deletion for non-administrative users if possible. Regular audits of comment histories and version control backups can help recover from unauthorized deletions. Engaging with IBM support to obtain timelines for patches and requesting security enhancements is advisable. Training users to recognize and report irregularities in comment management can also aid early detection. Finally, organizations should review their incident response plans to include scenarios involving integrity breaches in requirements management systems.