IBM advised its customers to fix the authentication bypass vulnerability in its API Connect enterprise platform, which could result in attackers gaining access to applications remotely.
API Connect
API Connect: This application programming interface (API) gateway solution enables a company to develop, test, and manager APIs, as well as provide controlled access to company services.
API Connect, offered as cloud, on premises, or hybrid options, is currently being utilized by more than a “hundred large-scale companies across the banking, healthcare, retail, and telecom industries.”
This vulnerability has been tracked as CVE-2025-13915 with a severity level of 9.8/10. It affects those IBM API Connect versions that include 10.0.11.0, as well as
If the exploitation is successful, the attackers can gain unconditional access to the affects application from a remote location through low complexity attacks without authentication.
The company, IBM, urged the admins to update the susceptibility to the latest release to prevent attacks and issued a fix for the affected users who cannot update their systems to the latest release.
“A critical vulnerability has been found in IBM API Connect, which might allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. “Customers of the technology firm are strongly advised to patch the weakness immediately and install the latest fix. “Customers who are unable to install the interim fix should disable the sign up feature for the application’s Developer Portal if it has been enabled to reduce the risk of the vulnerability being successfully attacked,” the tech firm advised.”
Step by step guidance for applying the CVE-2025-13915 security patch to environments using VMware, OCP, or Kubernetes is provided in this support note.
During the last four years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed assorted security vulnerabilities of IBM in its known exploited vulnerabilities list, noting that they are actively exploited in the wild, requiring fed agencies to patch their environments according to the Binding Operational Directive 22-01.
Two of these issues are a Code Execution vulnerability in IBM Aspera Faspex (CVE-2022-47986) and an Invalid Input vulnerability in IBM InfoSphere BigInsights (CVE-2013-3993), which are being reported as being exploited by the U.S. cybersecurity agency as part of a ransomware attack.
