Severity
Medium
Analysis Summary
CVE-2025-36087 CVSS:8.1
IBM Security Verify Access 10.0.0 through 10.0.9, 11.0.0, IBM Verify Identity Access Container 10.0.0 through 10.0.9, and 11.0.0, under certain configurations, contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
CVE-2025-33096 CVSS:6.5
IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user to cause a denial of service by uploading specially crafted files using uncontrolled recursion.
CVE-2025-2140 CVSS:5.7
IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to spoof email identity of the sender due to improper verification of source data.
CVE-2025-2139 CVSS:3.5
IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to delete reviews from other users due to client-side enforcement of server-side security.
CVE-2025-2138 CVSS:3.5
IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to delete comments from other users due to client-side enforcement of server-side security.
Impact
- Denial of Service
- Gain Access
- Security Bypass
Indicators of Compromise
CVE
CVE-2025-36087
CVE-2025-33096
CVE-2025-2140
CVE-2025-2139
CVE-2025-2138
Affected Vendors
- IBM
Affected Products
- IBM Engineering Requirements Management DOORS Next 7.0.2
- IBM Engineering Requirements Management DOORS Next 7.0.3
- IBM Security Verify Access 10.0.0 - 10.0.9
- IBM Security Verify Access 11.0.0
- IBM Verify Identity Access Container 10.0.0 - 10.0.9
- IBM Verify Identity Access Container 11.0.0
- IBM Engineering Requirements Management Doors Next 7.1
Remediation
Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information.