IBM urged customers to patch a critical authentication bypass vulnerability in its API Connect enterprise platform that could allow attackers to access apps remotely.
API Connect is an application programming interface (API) gateway that enables organizations to develop, test, and manage APIs and provide controlled access to internal services for applications, business partners, and external developers.
Available in on-premises, cloud, or hybrid deployments, API Connect is used by hundreds of companies in banking, healthcare, retail, and telecommunications sectors.
Tracked as CVE-2025-13915 and rated 9.8/10 in severity, this authentication bypass security flaw affects IBM API Connect versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5.
Successful exploitation enables unauthenticated threat actors to remotely access exposed applications by circumventing authentication in low-complexity attacks that don’t require user interaction.
IBM asked admins to upgrade vulnerable installations to the latest release to block potential attacks and provided mitigation measures for those who can’t immediately deploy the security updates.
“IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. IBM strongly recommends addressing the vulnerability now by upgrading,” the tech giant said. “Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal if enabled, which will help minimise their exposure to this vulnerability.”
Detailed instructions for applying the CVE-2025-13915 patch in VMware, OCP, and Kubernetes environments are available in this support document.
Over the past four years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple IBM security vulnerabilities to its catalog of known exploited vulnerabilities, tagging them as actively abused in the wild and ordering federal agencies to secure their systems, as mandated by Binding Operational Directive (BOD) 22-01.
Two of these security flaws, a code execution flaw in IBM Aspera Faspex (CVE-2022-47986) and an Invalid Input flaw in IBM InfoSphere BigInsights (CVE-2013-3993), have also been flagged by the U.S. cybersecurity agency as exploited in ransomware attacks.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.
