CVE-2025-13915: Critical 9.8 Flaw in IBM API Connect Lets Attackers Bypass Login
Ddos 
IBM has issued an urgent security alert for users of its API Connect platform after internal testing uncovered a massive security hole that could leave enterprise applications wide open to intruders. The vulnerability, which carries a near-maximum severity score, allows remote attackers to walk right past authentication mechanisms without needing a password.
The flaw, tracked as CVE-2025-13915, is classified as an Authentication Bypass by Primary Weakness.
The details of the vulnerability paint a concerning picture for system administrators. According to the advisory, the flaw “could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application”.
IBM has assigned the vulnerability a CVSS Base Score of 9.8, classifying it as critical. A breakdown of the threat vector reveals why this score is so high:
- Network Exploitable (AV:N): The attack can be launched remotely over the internet.
- Low Complexity (AC:L): The attack does not require sophisticated conditions to execute.
- No Privileges Required (PR:N): The attacker does not need to have a pre-existing account or permissions.
- No User Interaction (UI:N): The attack can succeed without tricking a user into clicking a link or performing an action.
The vulnerability affects specific versions of the IBM API Connect suite. Administrators are urged to check their deployments for the following versions:
- API Connect V10.0.8.0 through V10.0.8.5
- API Connect V10.0.11.0
IBM “strongly recommends addressing the vulnerability now by upgrading”. The vendor has released interim fixes (iFixes) for the affected version ranges, including patches for the 10.0.8.x branch and version 10.0.11.
For organizations that cannot immediately take systems offline to apply the patch, IBM has offered a temporary mitigation. Administrators can “disable self-service sign-up on their Developer Portal if enabled,” which IBM notes will “help minimise their exposure to this vulnerability” until a permanent fix can be applied.
Donate