Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-36221

CVE-2025-36221: IBM Cloud Pak Authentication Bypass Flaw

CVE-2025-36221 is an authentication bypass vulnerability in IBM Cloud Pak for Data System caused by default passwords from manufacturing. Attackers can exploit this to gain unauthorized access. Learn about affected versions, impact, and mitigation.

Published:

CVE-2025-36221 Overview

CVE-2025-36221 affects IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002. The product ships with default passwords carried over from the manufacturing process for use during installation. An attacker who knows or guesses these default credentials can bypass authentication and gain unauthorized access to affected systems. The weakness is classified under [CWE-1392] (Use of Default Credentials).

Critical Impact

Network-accessible authentication bypass through manufacturer default passwords, allowing unauthorized access without user interaction or prior privileges.

Affected Products

  • IBM Cloud Pak for Data System - Cyclops 11.3.0.2
  • IBM Cloud Pak for Data System - Cyclops 11.3.0.2 Interim Fix 001
  • IBM Cloud Pak for Data System - Cyclops 11.3.0.2 Interim Fix 002

Discovery Timeline

  • 2026-05-26 - CVE-2025-36221 published to NVD
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2025-36221

Vulnerability Analysis

The vulnerability stems from IBM Cloud Pak for Data System - Cyclops shipping with default passwords assigned during manufacturing. These credentials are intended to support the installation workflow but remain valid on the deployed system. An attacker with network access can authenticate as a privileged identity without exploiting any memory corruption or logic flaw.

Use of factory-provided credentials [CWE-1392] is a well-documented configuration weakness. When the credentials are static across units or published in installation documentation, the secret value provides no meaningful access control. The flaw enables authentication bypass without user interaction.

The EPSS data indicates a low probability of observed exploitation at the time of publication, and no public proof-of-concept or CISA KEV listing exists for this issue.

Root Cause

The root cause is the persistence of manufacturing default passwords into operational deployments. The installation process relies on known credentials but does not force rotation or invalidate them after initial provisioning. This leaves a predictable authentication path exposed on production systems.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker who reaches the management interface of an affected Cloud Pak for Data System can attempt the documented default credentials. Successful authentication grants access at the privilege level associated with the default account, enabling limited integrity impact on the target.

No verified exploitation code is publicly available. The vulnerability mechanism is described in prose; see the IBM Support Page for vendor-supplied technical details.

Detection Methods for CVE-2025-36221

Indicators of Compromise

  • Successful authentication events from unexpected source IP addresses against Cloud Pak for Data System management interfaces.
  • Login activity using built-in installation or factory accounts after the installation window has closed.
  • Configuration changes or new sessions associated with accounts that should be disabled post-deployment.

Detection Strategies

  • Audit authentication logs on affected Cyclops 11.3.0.2 systems for use of default or installation accounts.
  • Correlate management plane logins with expected administrator identities and source networks.
  • Flag any access to the system from outside approved jump hosts or administrative subnets.

Monitoring Recommendations

  • Forward Cloud Pak for Data System authentication and audit logs to a centralized log platform for review.
  • Alert on first-time use of default accounts and on repeated authentication attempts against the management interface.
  • Monitor for privilege changes, new user creation, and configuration exports following any default-account login.

How to Mitigate CVE-2025-36221

Immediate Actions Required

  • Identify all IBM Cloud Pak for Data System - Cyclops 11.3.0.2 deployments through Interim Fix 002.
  • Rotate any default or installation passwords still active on these systems.
  • Restrict network access to management interfaces using firewall rules or network segmentation.
  • Apply the remediation referenced on the IBM Support Page.

Patch Information

IBM has published advisory details on the IBM Support Page. Administrators should review the advisory for the fixed version and apply the vendor-provided update or configuration guidance for Cloud Pak for Data System - Cyclops 11.3.0.2.

Workarounds

  • Change all default passwords immediately after installation and document the rotation in change management records.
  • Limit management interface exposure to trusted administrative networks only.
  • Disable or remove unused installation accounts once provisioning is complete.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne