Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
AnalysisAI
SQL injection in IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 permits authenticated remote attackers to send specially crafted SQL statements that manipulate back-end database content - enabling unauthorized data reads, inserts, modifications, or deletions. The CVSS vector scores confidentiality impact as none (C:N), yet the vendor description explicitly states attackers may view data, a discrepancy that warrants direct verification against IBM's advisory. No public exploit has been identified at time of analysis, EPSS sits at 0.03% (9th percentile), and CISA SSVC rates exploitation as none, collectively indicating low near-term exploitation risk.
Technical ContextAI
CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) indicates that user-controlled input is incorporated into SQL queries without adequate parameterization or escaping, allowing attackers to alter query logic. The affected product, identified via CPE cpe:2.3:a:ibm:cloud_pak_for_data_system_-_cyclops, is the Cyclops component of IBM Cloud Pak for Data System - an enterprise-grade data analytics and AI platform typically deployed on-premises or in hybrid cloud environments. Because this is an application-layer flaw (AV:N, AC:L), the injection point is accessible over the network through the product's API or web interface, requiring no exploitation of underlying OS or network-layer controls.
RemediationAI
Apply the vendor-released patch documented in IBM's security advisory at https://www.ibm.com/support/pages/node/7273923. The patch is confirmed available from IBM, though the specific fixed version identifier (e.g., Interim Fix 003 or later) is not independently stated in available intelligence data and must be obtained directly from the advisory. As a compensating control prior to patching, restrict access to the Cyclops interface to the minimum set of necessary authenticated users and enforce network-layer controls (firewall rules, VPN gating) to limit exposure of the application endpoint to trusted networks only - noting this does not eliminate the vulnerability but reduces the attacker pool. Deploying a web application firewall with SQL injection detection rules can provide additional detection coverage, though WAF bypasses are common for SQLi and this should not substitute for patching.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209931
GHSA-qpmr-4jcx-mc6p