Skip to main content

Cloud Pak For Data System Cyclops

2 CVEs product

Monthly

CVE-2025-36221 MEDIUM PATCH This Month

Default manufacturing credentials persisting through installation in IBM Cloud Pak for Data System Cyclops 11.3.0.2 through Interim Fix 002 allow unauthenticated network attackers to bypass authentication and perform unauthorized integrity-impacting actions. The root cause (CWE-1392) reflects a design-phase failure where credentials intended solely for factory/installation use are not forced to rotate before or immediately after deployment. EPSS sits at 0.03% and SSVC records no current exploitation, but the SSVC automatable flag indicates this class of attack is trivially scriptable, making exposed instances a realistic target for opportunistic credential-stuffing against known IBM default password sets. No public exploit identified at time of analysis.

Authentication Bypass IBM Cloud Pak For Data System Cyclops
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-36220 MEDIUM PATCH This Month

SQL injection in IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 permits authenticated remote attackers to send specially crafted SQL statements that manipulate back-end database content - enabling unauthorized data reads, inserts, modifications, or deletions. The CVSS vector scores confidentiality impact as none (C:N), yet the vendor description explicitly states attackers may view data, a discrepancy that warrants direct verification against IBM's advisory. No public exploit has been identified at time of analysis, EPSS sits at 0.03% (9th percentile), and CISA SSVC rates exploitation as none, collectively indicating low near-term exploitation risk.

SQLi IBM Cloud Pak For Data System Cyclops
NVD
CVSS 3.1
4.3
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Default manufacturing credentials persisting through installation in IBM Cloud Pak for Data System Cyclops 11.3.0.2 through Interim Fix 002 allow unauthenticated network attackers to bypass authentication and perform unauthorized integrity-impacting actions. The root cause (CWE-1392) reflects a design-phase failure where credentials intended solely for factory/installation use are not forced to rotate before or immediately after deployment. EPSS sits at 0.03% and SSVC records no current exploitation, but the SSVC automatable flag indicates this class of attack is trivially scriptable, making exposed instances a realistic target for opportunistic credential-stuffing against known IBM default password sets. No public exploit identified at time of analysis.

Authentication Bypass IBM Cloud Pak For Data System Cyclops
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

SQL injection in IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 permits authenticated remote attackers to send specially crafted SQL statements that manipulate back-end database content - enabling unauthorized data reads, inserts, modifications, or deletions. The CVSS vector scores confidentiality impact as none (C:N), yet the vendor description explicitly states attackers may view data, a discrepancy that warrants direct verification against IBM's advisory. No public exploit has been identified at time of analysis, EPSS sits at 0.03% (9th percentile), and CISA SSVC rates exploitation as none, collectively indicating low near-term exploitation risk.

SQLi IBM Cloud Pak For Data System Cyclops
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy