Image Main

IBM has disclosed details about a critical security flaw in its API Connect product that could allow remote attackers to gain unauthorized access to the application.

Vulnerability Details

The vulnerability, identified as CVE-2025-13915, has received a score of 9.8 out of 10.0 in the CVSS rating system, classifying it as critical. It is described as an authentication bypass failure.

IBM has stated in a bulletin that “IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.”

Affected Versions

The following versions of IBM API Connect are affected by this vulnerability:

  • 10.0.8.0 to 10.0.8.5
  • 10.0.11.0

Recommendations and Patches

Customers are advised to follow the steps outlined by IBM to apply the fix:

  1. Download the solution from Fix Central.
  2. Extract the files: Readme.md and ibm-apiconnect-<version>-ifix.13195.tar.gz.
  3. Apply the fix based on the appropriate API Connect version.

Temporary Mitigation Measure

For customers who cannot install the interim fix immediately, IBM recommends disabling self-service registration in your Developer Portal, if enabled. This action will help minimize exposure to vulnerability.

What is IBM API Connect?

API Connect is a comprehensive application programming interface (API) solution that enables organizations to create, test, manage, and secure APIs in both the cloud and on-premises environments. It is used by various companies and organizations globally to manage their API ecosystems.

Exploitation Status

So far, there is no evidence that this vulnerability is being actively exploited. However, users are urged to apply the fixes as soon as possible to ensure optimal protection of their systems.

Conclusion

CVE-2025-13915 in IBM API Connect represents a significant risk due to its ability to allow authentication bypass and remote access. Prompt application of IBM-provided patches and implementation of temporary mitigations are crucial to protecting infrastructure and data. Keeping systems up to date and monitoring vendor security bulletins is a critical practice in cybersecurity management.

References

  • CVE-2025-13915