A critical vulnerability in IBM’s API Connect platform allows hackers to gain access to applications.
IBM is warning customers about a serious security vulnerability in its API Connect platform, which could allow attackers to gain access to applications without authentication.
Authentication can be completely bypassed
The vulnerability CVE-2025-13915 has a CVSS score of 9.8 out of 10 and affects IBM API Connect versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5. API Connect acts as an API gateway and is used by hundreds of companies in sectors such as banking, healthcare, retail, and telecom.
With successful exploitation, an attacker can access applications exposed through API Connect without valid credentials. The attack is low-threshold, requires no user interaction, and can be carried out completely remotely.
Update as soon as possible
IBM urges administrators to upgrade vulnerable installations to the latest version as soon as possible to prevent abuse. For companies that cannot apply the patch immediately, IBM recommends disabling self-service sign-up in the Developer Portal.
“IBM API Connect may allow a remote attacker to bypass authentication and gain unauthorized access,” IBM said in a security advisory. “We strongly recommend that customers address this vulnerability immediately by upgrading.”