IBM API Connect flaw exposes critical authentication bypass risk
▼ Summary
– IBM has disclosed a critical authentication bypass vulnerability (CVE-2025-13915) in its API Connect platform, rated 9.8/10 in severity.
– This flaw affects specific versions of API Connect and could allow unauthenticated attackers to remotely access applications without user interaction.
– API Connect is an enterprise API gateway used widely across sectors like banking, healthcare, and telecommunications.
– IBM strongly recommends upgrading to the latest version immediately or applying a mitigation, such as disabling self-service sign-up on the Developer Portal.
– This incident follows a pattern of IBM vulnerabilities being actively exploited, with some past flaws used in ransomware attacks.
Organizations using IBM’s API Connect platform are being urged to apply a critical security update immediately. A newly identified vulnerability, if left unpatched, could let attackers bypass authentication entirely and gain unauthorized remote access to applications. This presents a significant risk for the many businesses in finance, healthcare, and telecommunications that rely on the platform to manage and secure their application programming interfaces.
The flaw, officially cataloged as CVE-2025-13915, carries a severity rating of 9.8 out of 10. It impacts specific versions of IBM API Connect, namely version 10.0.11.0 and versions 10.0.8.0 through 10.0.8.5. This API gateway is a central tool for companies to create, test, and oversee their APIs, providing a controlled gateway for applications and partners to access internal services. The vulnerability is particularly dangerous because exploiting it requires low complexity and no user interaction, making it an attractive target for threat actors.
IBM has issued a clear warning, stating the flaw could allow a remote attacker to circumvent authentication and access applications without authorization. The company strongly advises all administrators to upgrade their installations to the latest version as the primary solution to block potential attacks. For those unable to apply the security patch immediately, IBM has provided a crucial mitigation step: disabling the self-service sign-up feature on the Developer Portal, if it is currently enabled. This action can help reduce the exposure window until a permanent fix is deployed.
Detailed technical instructions for applying the necessary patch are available from IBM for environments running on VMware, OpenShift, and Kubernetes. This vulnerability underscores a broader pattern of security concerns within IBM’s product suite. Over recent years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple IBM vulnerabilities to its catalog of known exploited flaws. These entries are reserved for security weaknesses that are being actively abused in real-world attacks, and federal agencies are mandated to address them.
For instance, two other IBM flaws, a code execution issue in Aspera Faspex and an input validation problem in InfoSphere BigInsights, have been flagged by CISA after being leveraged in ransomware campaigns. The recurrence of such critical vulnerabilities highlights the importance of maintaining vigilant patch management practices, especially for enterprise software that forms a core part of an organization’s digital infrastructure. Proactive updating remains the most effective defense against these evolving threats.
(Source: Bleeping Computer)
