CVE-2025-36221

Vulnerability

IBM Cloud Pak for Data System - Cyclops versions 11.3.0.2 through 11.3.0.2 Interim Fix 002 use default passwords from the manufacturing process during installation. This allows an attacker to bypass authentication without any special configuration or conditions. The affected product is IBM Cloud Pak for Data System - Cyclops 11.3.0.2-IF2 and earlier [1].

Exploitation

An attacker with network access to the system can exploit the default credentials without requiring any authentication, privileges, or user interaction. The attacker simply uses the known default passwords to gain unauthorized access to the system [1].

Impact

Successful exploitation allows the attacker to bypass authentication, potentially gaining access to the system with the privileges of the default account. The CVSS v3.1 vector indicates low impact to integrity (C:N/I:L/A:N), meaning the attacker may be able to modify some data but not access confidential information or cause denial of service [1].

Mitigation

IBM has addressed this vulnerability in version 11.3.1.1. Users should upgrade to this fixed version. No workarounds are available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].