Skip to main content

Cloud Pak Cyclops CVE-2025-36220

| EUVDEUVD-2025-209931 MEDIUM
SQL Injection (CWE-89)
2026-05-26 ibm GHSA-qpmr-4jcx-mc6p
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:47 vuln.today

DescriptionCVE.org

IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.

AnalysisAI

SQL injection in IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 permits authenticated remote attackers to send specially crafted SQL statements that manipulate back-end database content - enabling unauthorized data reads, inserts, modifications, or deletions. The CVSS vector scores confidentiality impact as none (C:N), yet the vendor description explicitly states attackers may view data, a discrepancy that warrants direct verification against IBM's advisory. No public exploit has been identified at time of analysis, EPSS sits at 0.03% (9th percentile), and CISA SSVC rates exploitation as none, collectively indicating low near-term exploitation risk.

Technical ContextAI

CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) indicates that user-controlled input is incorporated into SQL queries without adequate parameterization or escaping, allowing attackers to alter query logic. The affected product, identified via CPE cpe:2.3:a:ibm:cloud_pak_for_data_system_-_cyclops, is the Cyclops component of IBM Cloud Pak for Data System - an enterprise-grade data analytics and AI platform typically deployed on-premises or in hybrid cloud environments. Because this is an application-layer flaw (AV:N, AC:L), the injection point is accessible over the network through the product's API or web interface, requiring no exploitation of underlying OS or network-layer controls.

RemediationAI

Apply the vendor-released patch documented in IBM's security advisory at https://www.ibm.com/support/pages/node/7273923. The patch is confirmed available from IBM, though the specific fixed version identifier (e.g., Interim Fix 003 or later) is not independently stated in available intelligence data and must be obtained directly from the advisory. As a compensating control prior to patching, restrict access to the Cyclops interface to the minimum set of necessary authenticated users and enforce network-layer controls (firewall rules, VPN gating) to limit exposure of the application endpoint to trusted networks only - noting this does not eliminate the vulnerability but reduces the attacker pool. Deploying a web application firewall with SQL injection detection rules can provide additional detection coverage, though WAF bypasses are common for SQLi and this should not substitute for patching.

Share

CVE-2025-36220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy