Wallarm’s latest Q3 2025 API ThreatStats report [link placeholder] reveals that API vulnerabilities, exploits, and breaches are not just increasing; they’re evolving.
Malicious actors are shifting from code-level weaknesses to business logic flaws, from web apps to partner integrations, and from REST to AI-powered APIs.
Here’s what stood out this quarter, and what security leaders should do about it.
API Vulnerabilities Surge Again
In Q3 2025, our researchers identified 1,602 API-related vulnerabilities, a 20% increase from Q2. The average severity held steady at a CVSS of 7.4, meaning most flaws remain High or Critical.
The culprits haven’t changed much:
- Security Misconfiguration (API8) once again topped the list with 605 cases, up 33% quarter over quarter.
- Broken Authorization (API5, API1) accounted for roughly 28% of all API vulnerabilities.
- Broken Authentication (API2) climbed sharply, driven by weak credential enforcement in REST and SOAP APIs.
Despite greater awareness, the same fundamental issues persist: misconfigurations, insufficient access control, and poor credential hygiene. Each points to the same systemic gap: APIs are still being deployed faster than they are secured.
AI-API and MCP Vulnerabilities Are Exploding
If there’s one unmistakable trend, it’s the rise of AI-API vulnerabilities.
In Q3, these grew from 77 to 121, a 57% increase in just three months. Within that group, Model Context Protocol (MCP) vulnerabilities spiked 270%, signaling that malefactors are quickly learning how to exploit model-serving and inference pipelines.
Most of these flaws map to familiar API weaknesses: misconfiguration, broken function-level authorization, and unsafe consumption of APIs. But the implications run deeper.
AI-API integrations don’t just expose data; they expose business logic, workflows, and trust chains. As entities embed AI across customer and partner interfaces, these attack surfaces multiply, and traditional API scanning alone can’t keep pace.
The takeaway: As we claimed in our 2025 Annual API ThreatStats report, AI security is now API security. Any enterprise integrating model endpoints or agentic systems must extend its API protection stack to cover inference and orchestration layers.
Exploited APIs Still Follow the Same Patterns
The CISA Known Exploited Vulnerabilities (KEV) catalog added 51 new entries in Q3. Of those, 8 (16%) were API-related, showing that APIs remain a consistent portion of confirmed in-the-wild exploits.
These real-world attacks reflected the same old patterns:
- Broken Authorization in Cisco ISE and TeleMessage APIs enabled unauthorized access and remote code execution.
- Security Misconfiguration exposed diagnostic interfaces such as Spring Boot Actuator endpoints.
- Unsafe Consumption of APIs led to deserialization flaws in systems like Fortra GoAnywhere and DELMIA Apriso.
The overlap between vulnerabilities and active exploits is telling. The same classes of weaknesses keep being rediscovered, re-exploited, and remediated, often too late.
Breaches Reveal Expanding Attack Chains
Eight major API-related breaches were confirmed in Q3, spanning fintech, hospitality, SaaS, and AI. The numbers dipped slightly from Q2, but the scope and complexity increased.
The standout was the Salesloft / Drift OAuth incident, which used stolen tokens to compromise Salesforce APIs across multiple enterprises, including Cloudflare, Zscaler, Palo Alto Networks, and Google. It was a single exploit that rippled across entire partner ecosystems.
Other cases worth mentioning include:
- Restaurant Brands International (RBI): drive-thru and ordering APIs exploited through logic flaws and broken object-level authorization (BOLA).
- SwissBorg: $41M lost through fintech API abuse.
- McDonald’s (via Paradox.ai): internal chatbot APIs exposed sensitive applicant and HR data.
- Flexypay Solutions: fraudulent partner API calls triggered unauthorized payouts.
The common thread is that bad actors are doing more than probing APIs for injection flaws, they’re manipulating workflows, tokens, and trust boundaries.
The Rise of Business Logic Abuse
Among all findings, the report highlights one trend every CISO should note: Business Logic Abuse (BLA).
Unlike SQL injection or XSS, BLA doesn’t exploit coding errors; it abuses the way an application is designed to work. Attackers skip steps, repeat one-time actions, or twist state transitions to gain unauthorized outcomes.
Examples include:
- Reusing coupons or refunds that should expire (Action Limit Overrun)
- Skipping workflow validation steps (Missing Transition Validation)
- Abusing hidden or legacy API functions (Shadow Function Abuse)
The OWASP Business Logic Abuse Top 10, released this year, formalizes this growing class of attacks. And with 82% of businesses now describing themselves as API-first, the logic layer has become a lucrative new target.
Traditional WAFs and static scanners can’t catch this. Only stateful, behavior-aware monitoring and context-driven testing can detect BLA in real time.
Key Takeaways for Security Leaders
Q3 confirms that API risk is outpacing traditional AppSec coverage. Misconfigurations and authorization failures remain endemic, AI integrations are accelerating, and logic abuse has entered the mainstream. The gap between awareness and execution is widening.
So where should firms focus next?
Make API Security a First-Class Citizen
APIs now represent your primary attack surface. Treat them that way. Integrate API metrics (inventory coverage, exposure rates, mean time to detect) into your board-level dashboards.
Bridge the AppSec Divide
Web, mobile, and API security are no longer separate domains. Unify governance and testing under one framework so that every new service is secure from design through deployment.
Extend Protection to AI Pipelines
AI endpoints must be monitored like privileged systems. Instrument model APIs, log inference traffic, and audit integrations quarterly. Agentic systems require the same (or greater) rigor as customer-facing APIs.
Hunt Shadow APIs
Discovery isn’t enough. Use active scanning and traffic correlation to uncover unregistered endpoints, debug paths, and staging leftovers before attackers do.
Test Business Logic, Not Just Code
Automate abuse simulations in CI/CD. Check for role escalation, skipped workflows, and token replay. If your QA process ends with schema validation, you’re not testing security, just syntax.
API Security Leads AppSec
The Q3 2025 API ThreatStats report paints a picture of API sprawl, AI integration, and business logic flaws converging into a systemic risk.
Attackers are evolving faster than defenses. The question isn’t whether APIs will be targeted; it’s whether entities can see and stop the attacks before they cascade across connected ecosystems.
API security can no longer sit behind AppSec. It has to lead it. For the full insights, download the report today.
