IBM Cloud Pak for Data System – Cyclops versions 11.3.0.2 through Interim Fix 002 contain default installation passwords that are derived from the manufacturing process. The presence of these preset passwords allows an attacker who can reach the installation interface to authenticate without valid credentials, effectively bypassing normal authentication controls. This weakness enables an attacker to gain initial access and potentially elevate privileges to an administrator level, compromising the confidentiality, integrity, and availability of the system.

The affected product is IBM Cloud Pak for Data System – Cyclops, specifically versions 11.3.0.2 up to Interim Fix 002. Any deployment using those releases is vulnerable until upgraded to the patched release 11.3.1.1-WS-ICPDS-CYCLOPS-fp278500.

The CVSS score of 5.3 indicates a medium severity vulnerability. Because EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog, the known exploitation probability is uncertain, but the ability to bypass authentication could be leveraged by an attacker who gains network access to the installation process. The attack vector is inferred to be remote, relying on exposure of the installation interface, as the description does not reference local privileges. Consequently, the risk merits prompt remediation while monitoring for any related exploit activity.