Critical IBM API Connect Vulnerability Let Attackers Bypass Logins

A critical security alert regarding a severe vulnerability in the IBM API Connect platform that could allow remote attackers to bypass authentication mechanisms.

Discovered during internal testing, the flaw poses a significant risk to organizations relying on the platform for API management. It grants unauthorized actors access to the application without requiring valid credentials.

The vulnerability, tracked as CVE-2025-13915, has been assigned a critical CVSS base score of 9.8 out of 10. This near-maximum score reflects the ease of exploitation and the high impact on confidentiality, integrity, and availability.

The flaw is classified under CWE-305, which refers to an “Authentication Bypass by Primary Weakness.” According to the advisory, the issue allows a remote attacker to circumvent the login process entirely.

Because the attack vector is network-based (AV: N) and requires no special privileges (PR: N) or user interaction (UI: N), the risk of automated or widespread exploitation is high.

The vulnerability impacts specific versions of IBM API Connect. Administrators are urged to check their deployments for the following versions:

IBM strongly recommends that all affected customers upgrade immediately to the patched versions. The company has released iFixes for the affected release ranges.

For organizations that cannot immediately apply the patch, IBM has provided a temporary mitigation. Administrators should disable self-service sign-up on their Developer Portal if it is currently enabled.

While this does not fix the underlying code flaw, it helps minimize the attack surface and reduces exposure to this specific vulnerability until the permanent fix can be deployed.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.