Analysis Summary

CVE-2025-36087 CVSS:8.1

IBM Security Verify Access 10.0.0 through 10.0.9, 11.0.0, IBM Verify Identity Access Container 10.0.0 through 10.0.9, and 11.0.0, under certain configurations, contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

CVE-2025-33096 CVSS:6.5

IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user to cause a denial of service by uploading specially crafted files using uncontrolled recursion.

CVE-2025-2140 CVSS:5.7

IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to spoof email identity of the sender due to improper verification of source data.

CVE-2025-2139 CVSS:3.5

IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to delete reviews from other users due to client-side enforcement of server-side security.

CVE-2025-2138 CVSS:3.5

IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to delete comments from other users due to client-side enforcement of server-side security.

Impact

• Denial of Service
• Gain Access
• Security Bypass

Indicators of Compromise

CVE

• CVE-2025-36087

• CVE-2025-33096

• CVE-2025-2140

• CVE-2025-2139

• CVE-2025-2138

Affected Vendors

Remediation

Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-36087

CVE-2025-33096

CVE-2025-2140

CVE-2025-2139

CVE-2025-2138