CVE-2025-36221 IBM CVE debrief

Who should care

IBM Cloud Pak for Data System administrators, security operations teams managing data platform infrastructure, and organizations with compliance requirements around credential management and default password elimination.

Technical summary

The vulnerability exists in IBM Cloud Pak for Data System - Cyclops versions 11.3.0.2 through Interim Fix 002, where default passwords from the manufacturing process remain in place for installation-time use. These credentials are not automatically changed or required to be changed during deployment, leaving systems exposed to authentication bypass. The CVSS 3.1 score of 5.3 (MEDIUM) reflects network accessibility with low complexity and no required privileges, though impact is limited to integrity (no confidentiality or availability impact per the vector). The weakness maps to CWE-1392: Use of Default Credentials. Remediation requires applying IBM's Interim Fix and manually changing all default passwords.

Defensive priority

medium

Recommended defensive actions

• Identify all IBM Cloud Pak for Data System - Cyclops deployments running versions 11.3.0.2 through Interim Fix 002
• Review IBM security bulletin for official remediation steps and patch availability
• Change all default credentials installed during manufacturing process immediately
• Audit authentication logs for unauthorized access using default accounts
• Implement network segmentation to limit exposure of management interfaces
• Verify no residual default credentials exist after applying Interim Fix or subsequent patches

Evidence notes

CVE published 2026-05-26T17:16:29.270Z; modified 2026-05-26T19:06:14.330Z. IBM PSIRT reference confirms affected product versions and default password issue. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N indicates network attack vector with low attack complexity, no privileges required, and integrity impact only.

Official resources