IBM has released details of a critical security vulnerability in its API Connect platform that could allow attackers to bypass authentication and gain unauthorized remote access to the application. Tracked as CVE-2025-13915, the flaw has been assigned a CVSS score of 9.8 out of 10, indicating severe risk. According to IBM, the authentication bypass could expose sensitive configurations and user data for organizations relying on the software. While there is no evidence of exploitation in the wild, customers are strongly urged to apply the patch as soon as possible to mitigate potential attacks.
The flaw affects IBM API Connect versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0. Users are advised to download the interim fix from Fix Central, extract the accompanying files including Readme.md and ibm-apiconnect-<version>-ifix.13195.tar.gz, and apply the update according to the instructions corresponding to their version of the platform. For organizations unable to install the interim fix immediately, IBM recommends disabling self-service sign-up on Developer Portals to reduce exposure to the vulnerability. The company emphasized that following these steps is critical to maintaining secure access to the application and protecting organizational data.
IBM API Connect is an end-to-end solution that enables enterprises to create, test, manage, and secure APIs across cloud and on-premises environments. The platform is widely used by companies including Axis Bank, Bankart, Etihad Airways, Finologee, IBS Bulgaria, State Bank of India, Tata Consultancy Services, and TINE. Its role in connecting APIs across critical business systems makes it a high-value target for attackers, particularly given the potential for authentication bypass to grant unrestricted access to sensitive interfaces. By addressing the vulnerability promptly, organizations can prevent potential exploitation that could impact business operations, customer information, and API ecosystem security.
Security experts note that even though no active attacks have been reported, the severity of the flaw warrants immediate action. The disclosure highlights the ongoing challenges enterprises face in securing widely adopted software solutions, particularly those handling API management at scale. IBM has provided detailed guidance and resources to ensure organizations can implement the fixes with minimal disruption. Adopting these measures promptly is essential for IT teams and security officers managing API infrastructure to prevent unauthorized access, maintain compliance, and protect corporate and customer data across distributed systems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
