CVE-2025-2139 is a security vulnerability identified in IBM Engineering Requirements Management Doors Next versions 7.0.2, 7.0.3, and 7.1. The root cause is improper enforcement of security controls on the client side rather than the server side. Specifically, the application relies on client-side mechanisms to enforce permissions related to deleting reviews, which can be manipulated by an authenticated user with network access. This allows such a user to delete reviews authored by other users, violating data integrity and potentially disrupting collaborative workflows and audit trails. The vulnerability is classified under CWE-602, which pertains to client-side enforcement of server-side security. The CVSS v3.1 base score is 3.5, indicating low severity, with attack vector as adjacent network (AV:A), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and unchanged scope (S:U). The impact affects integrity (I:L) but not confidentiality or availability. No patches or exploits are currently reported, but the vulnerability is publicly disclosed as of October 12, 2025. Organizations using the affected IBM Doors Next versions should review their access controls and consider compensating controls until a patch is available.

For European organizations, the primary impact of this vulnerability is on the integrity of project documentation and review processes within IBM Engineering Requirements Management Doors Next. Unauthorized deletion of reviews can lead to loss of critical audit information, miscommunication among project stakeholders, and potential compliance issues, especially in regulated industries such as automotive, aerospace, and defense where IBM Doors Next is commonly used. While the vulnerability does not directly impact confidentiality or availability, the disruption of review records can undermine trust in the requirements management process and delay project timelines. Since exploitation requires authenticated network access, insider threats or compromised credentials pose the greatest risk. The low CVSS score reflects limited impact scope, but organizations with stringent compliance requirements or heavy reliance on this tool should prioritize mitigation to maintain data integrity and auditability.

1. Restrict network access to IBM Engineering Requirements Management Doors Next to trusted users and networks only, employing network segmentation and firewall rules to limit exposure. 2. Enforce strong authentication mechanisms and monitor for suspicious login activities to reduce the risk of credential compromise. 3. Implement role-based access controls (RBAC) and regularly audit user permissions to ensure only authorized users have deletion privileges. 4. Monitor application logs for unusual deletion activities or patterns that could indicate exploitation attempts. 5. Until an official patch is released, consider deploying application-layer proxies or web application firewalls (WAFs) with custom rules to detect and block unauthorized deletion requests. 6. Educate users about the risk of credential sharing and the importance of reporting suspicious behavior. 7. Maintain regular backups of project data and review records to enable recovery in case of unauthorized deletions. 8. Engage with IBM support for updates on patches or workarounds addressing this vulnerability.