IBM API Connect Flaw Enables Authentication Bypass

IBM has disclosed a critical security flaw in its API Connect platform that allows attackers to bypass authentication entirely. The vulnerability is tracked as CVE-2025-13915 and has been assigned a CVSS score of 9.8, placing it in the critical severity category.

The issue is caused by a weakness in how API Connect handles primary authentication. An attacker does not need valid credentials, user interaction, or elevated privileges to exploit it. Network access to a vulnerable instance is enough to gain unauthorized access.

Key Details

CVE ID: CVE-2025-13915
Severity: Critical
CVSS Score: 9.8
Weakness Type: Authentication bypass (CWE-305)
Attack Complexity: Low
Privileges Required: None

Affected Versions

The vulnerability impacts the following IBM API Connect versions:

10.0.8.0
10.0.8.1
10.0.8.2
10.0.8.3
10.0.8.4
10.0.8.5
10.0.11.0

IBM API Connect is commonly used to control authentication, authorization, and security policies for enterprise APIs. A successful authentication bypass at this layer can expose:

Backend API services
Sensitive business data
Internal application logic
Downstream systems connected to APIs

Because the flaw sits at the gateway level, exploitation could have a broad impact across environments.

Mitigation and Recommendations

IBM strongly advises customers to apply security updates immediately.

Users on 10.0.8.x should install the available interim fixes (iFixes).
Users on 10.0.11.0 should apply the released security patch.

If patching cannot be done right away, IBM recommends disabling self-service sign-up on the Developer Portal to reduce exposure. This is a temporary measure and does not fully remove the risk.