APIs have emerged as the predominant attack surface over the past year, with AI being the biggest driver of API security risks, according to Wallarm.
“Based on our findings, what is clear is that API security is no longer just a technical challenge – it’s now a business imperative,” said Ivan Novikov, CEO of Wallarm.
“API related security flaws are fueled by the adoption of AI, as APIs are the critical interface between AI models and the applications they power. However, this rapid growth has exposed significant vulnerabilities. For instance, we found that 57% of AI-powered APIs were externally accessible, and 89% relied on insecure authentication mechanisms. Of particular concern is that only 11% had robust security measures in place, leaving most endpoints vulnerable. In today’s environment, organizations cannot afford to not secure their APIs. Failure to do so means they are exposing themselves to grave risks that can result in costly technical vulnerabilities and reputational and operational crises,” added Novikov.
Researchers tracked 439 AI-related CVEs, a 1,025% increase from the prior year. 99% were directly tied to APIs, including injection flaws, misconfigurations, and new memory corruption vulnerabilities stemming from AI’s reliance on high-performance binary APIs.
Additionally, 50% of all recorded CISA exploited vulnerabilities were API-related for the first time, a 30% increase from the year before, and this highlights the growing prevalence and criticality of API security in modern threat environments. API vulnerabilities surpass traditional exploit categories like kernel, browser, and supply chain vulnerabilities, underscoring their central role in cyberattacks.
AI as a catalyst for new vulnerabilities
In the survey of 200 US-based enterprise leaders on AI and API security, 53% reported engaging in multiple AI deployments. These deployments are primarily enabled by API technology, cementing APIs as the foundation of enterprise AI adoption. However, while AI integration drives rapid API adoption across industries, it also introduces unique risks.
For instance, threat intelligence flagged significant vulnerabilities in AI tools like PaddlePaddle and MLflow, which underpin enterprise AI deployments. These tools were exploited at API endpoints, compromising training data, siphoning intellectual property, or injecting malicious payloads into machine learning pipelines.
APIs facilitating real-time data exchanges between AI models and applications often lack adequate security measures, making them susceptible to injection, abuse, and memory-related exploits.
While legacy APIs such as those used in Digi Yatra and Optus incidents remain vulnerable due to outdated designs, modern RESTful APIs are equally at risk due to complex integration challenges and improper configurations. APIs now represent the largest category of exploited vulnerabilities in CISA KEV, with modern APIs representing over 33%.
Exploits include improper authentication, injection attacks, and API endpoint misconfigurations, targeting enterprise-grade platforms with prominent attacks, including Ivanti and Palo Alto Networks. Legacy APIs in web applications represent over 18% of exploited vulnerabilities. These vulnerabilities arise in older APIs typically used within web applications for AJAX backends, URL parameters, or direct calls to .php files.
Often integrated into devices like cameras or IoT systems, these APIs lack the robust security measures of their modern counterparts, with key exploit types including URL-based injection, CSRF attacks, and outdated session handling mechanisms.
Growing exploitation of authentication and access control
The Twilio and Tech in Asia breaches demonstrated how attackers exploit weak authentication and access control mechanisms to gain unauthorized access. These issues are exacerbated by the decentralized nature of API management in large organizations, as API-related breaches escalate in frequency and severity.
In last year’s Wallarm report based on 2023 data, API-related breaches were significant but sparse, with only a few incidents reported each quarter. In 2024, this picture changed dramatically, with an average of three monthly incidents—and, at times, as many as five to seven breaches each month.
The rise of API-driven systems in sectors like healthcare, transportation, technology, and financial services has led to a surge in vulnerabilities, placing APIs squarely at the center of the cybersecurity landscape.
As APIs drive innovation, particularly in AI-enabled systems, organizations need real-time API controls to protect their business operations, customer trust, and long-term success. Looking ahead to 2025, organizations must prioritize API security to safeguard their systems and unlock the full potential of APIs as the key driver of business transformation.