“`html
IBM API Connect Authentication Bypass Vulnerability (CVE-2025-13915)
Table of Contents
IBM has urged customers to patch a critical authentication bypass vulnerability in its API connect enterprise platform. This flaw could allow attackers to remotely access applications without valid credentials.
API Connect is an application programming interface (API) gateway that enables organizations to develop, test, and manage APIs, providing controlled access to internal services for applications, business partners, and external developers. It’s available in on-premises, cloud, or hybrid deployments and is used by hundreds of companies across banking, healthcare, retail, and telecommunications.
Learn more about IBM API Connect.
Tracked as CVE-2025-13915, the vulnerability has a severity rating of 9.8/10 (Critical). Accomplished exploitation allows unauthenticated threat actors to remotely access exposed applications by circumventing authentication. the attack requires low complexity and does not require user interaction.
Impact and Affected Versions
The following versions of IBM API Connect are affected:
| Version | Status |
|---|---|
| 10.0.11.0 | Vulnerable |
| 10.0.8.0 – 10.0.8.5 | vulnerable |
IBM recommends upgrading to the latest release to address the vulnerability. For those unable to immediately deploy updates, IBM provides mitigation measures.
“IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. IBM strongly recommends addressing the vulnerability now by upgrading,” IBM stated. “Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal if enabled.”
