Skip to main content

Cloud Pak Cyclops EUVDEUVD-2025-209932

| CVE-2025-36221 MEDIUM
Use of Default Credentials (CWE-1392)
2026-05-26 ibm GHSA-x59x-7jqm-mqjh
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:38 vuln.today

DescriptionCVE.org

IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication.

AnalysisAI

Default manufacturing credentials persisting through installation in IBM Cloud Pak for Data System Cyclops 11.3.0.2 through Interim Fix 002 allow unauthenticated network attackers to bypass authentication and perform unauthorized integrity-impacting actions. The root cause (CWE-1392) reflects a design-phase failure where credentials intended solely for factory/installation use are not forced to rotate before or immediately after deployment. EPSS sits at 0.03% and SSVC records no current exploitation, but the SSVC automatable flag indicates this class of attack is trivially scriptable, making exposed instances a realistic target for opportunistic credential-stuffing against known IBM default password sets. No public exploit identified at time of analysis.

Technical ContextAI

CWE-1392 (Use of Default Credentials) describes the failure to require credential rotation away from factory-set or installation-phase passwords before a system enters production. IBM Cloud Pak for Data System - Cyclops is a converged infrastructure appliance/software platform (CPE: cpe:2.3:a:ibm:cloud_pak_for_data_system_-_cyclops:*:*:*:*:*:*:*:*) combining compute, storage, and analytics layers. The CVSS vector AV:N/AC:L/PR:N/UI:N indicates the authentication endpoint reachable over the network accepts these default credentials with no complexity barrier and without requiring any prior foothold. The scope is Unchanged (S:U), meaning exploitation is contained to the Cyclops component itself rather than pivoting to adjacent systems directly, and the declared impact is Integrity:Low with Confidentiality and Availability rated None - consistent with limited write access rather than full administrative takeover.

RemediationAI

Apply the vendor-released patch per the IBM security advisory at https://www.ibm.com/support/pages/node/7273923 - exact fix version was not independently published in available intelligence at time of analysis, so administrators should reference the advisory directly for the target build. As an immediate compensating control prior to patching, force rotation of all default manufacturing and installation-phase credentials across all Cyclops instances; IBM documentation typically lists these in installation guides, so they should be treated as publicly known. Restrict network access to the Cyclops management interface using host-based or network-perimeter firewall rules, limiting reachability to trusted administrator subnets - this directly counters the AV:N attack vector and eliminates remote exploitation risk at the cost of reduced operational flexibility for remote administration. Audit authentication logs for any logins using default credential patterns as an indicator of prior unauthorized access.

Share

EUVD-2025-209932 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy