IBM has disclosed a critical authentication bypass vulnerability affecting its API Connect platform, assigning it a maximum CVSS severity score of 9.8.
The flaw, tracked as CVE-2025-13915, represents a primary authentication weakness (CWE-305) that requires no user interaction or special privileges to exploit.
The vulnerability impacts IBM API Connect versions 10.0.8.0 through 10.0.8.5 and version 10.0.11.0.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-13915 |
| Vulnerability Title | IBM API Connect Authentication Bypass |
| CVSS Version | CVSS v3.1 |
| CVSS Base Score | 9.8 (Critical) |
According to IBM’s security advisory, a remote attacker can exploit this flaw to bypass the platform’s authentication mechanisms entirely, gaining unauthorized access without credentials.
The attack requires only network connectivity no complex setup or user cooperation is necessary.
API Connect serves as a critical infrastructure component for organizations managing and exposing APIs at scale.
The platform handles authentication, access control, and security policies for API traffic. An authentication bypass in this layer could expose backend systems, sensitive data, and business logic to unauthorized access.
IBM strongly recommends customers upgrade immediately to patched versions. For API Connect 10.0.8 users, interim fixes (iFix) are available for all affected versions, ranging from 10.0.8.1 through 10.0.8.5.
Version 10.0.11 users should apply the corresponding security patch. Detailed upgrade instructions and download links are available on IBM’s support portal.
For organizations unable to deploy patches immediately, IBM recommends disabling self-service sign-up functionality on the Developer Portal if currently enabled.
This mitigation reduces exposure by limiting the attack surface, though it does not fully eliminate the vulnerability.
The 9.8 CVSS score indicates complete compromise potential across confidentiality, integrity, and availability.
Security teams should treat this as a critical priority, particularly for production API Connect deployments that expose business-critical services.
Organizations running affected versions should conduct an immediate inventory of their IBM API Connect instances and prioritize patching efforts.
Given the critical nature and the ease of exploitation, this vulnerability should be addressed within days rather than weeks. Security teams should also review API access logs for suspicious authentication patterns that might indicate exploitation attempts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.