CVE-2025-36220

Vulnerability

IBM Cloud Pak for Data System Cyclops version 11.3.0.2-IF2 (and possibly earlier interim fixes) is vulnerable to SQL injection [1]. A remote attacker could send specially crafted SQL statements to the back-end database, exploiting improper neutralization of special elements (CWE-89) [1]. The CVSS v3 base score is 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N [1].

Exploitation

The attacker needs network access to the affected system and low privileges (PR:L) [1]. No user interaction is required (UI:N) [1]. The attack complexity is low (AC:L) [1]. The attacker sends crafted SQL queries that bypass input sanitization, reaching the database directly [1].

Impact

On success, the attacker can view, add, modify, or delete information in the back-end database [1]. This results in limited integrity impact (I:L) and no confidentiality or availability impact (C:N, A:N) per the CVSS score [1].

Mitigation

IBM has published a security bulletin (reference [1]) stating the vulnerability is addressed in IBM Cloud Pak for Data System Cyclops 11.3.1.1. No workarounds are listed. Users should upgrade to the fixed version. If no upgrade is possible, restrict network access and monitor database queries for anomalous patterns.