CVE-2025-13915

IBM API Connect and Affected Versions IBM API Connect versions 10.0.8.0 through 10.0.8.5 IBM API Connect version 10.0.11.0

Description A critical authentication bypass vulnerability exists in IBM API Connect, allowing remote attackers to gain unauthorized access to applications without credentials. The flaw resides in the authentication enforcement within the API gateway, enabling attackers to circumvent identity checks. This vulnerability, tracked as CVE-2025-13915, has a CVSS score of 9.8 and is considered a design-level flaw (CWE-305 Improper Authentication). Successful exploitation requires minimal complexity and poses a significant threat, potentially leading to API gateway takeover and compromise of managed APIs. The vulnerability impacts organizations utilizing IBM API Connect, including those in banking, healthcare, and retail.

Recommendations Apply IBM’s interim fixes from Fix Central immediately for versions 10.0.8.0 through 10.0.8.5. Apply IBM’s interim fixes from Fix Central immediately for version 10.0.11.0. If patching is delayed, disable Developer Portal self-service sign-up to reduce exposure.