Critical authentication-bypass flaw found in IBM API Connect

IBM has disclosed a critical authentication bypass vulnerability in API Connect that could let a remote attacker gain unauthorized access to the application. The issue is tracked as CVE-2025-13915 and carries a CVSS score of 9.8.

The flaw affects API Connect versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0.

IBM advises customers to download the interim fix from Fix Central, extract the files Readme.md and ibm-apiconnect-<version>-ifix.13195.tar.gz, and apply the appropriate fix for their API Connect version.

Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal, if enabled, to reduce exposure to the vulnerability.

API Connect is an end-to-end API solution used to create, test, manage and secure APIs on cloud and on-premises systems and is employed by organizations such as Axis Bank, Bankart, Etihad Airways, Finologee, IBS Bulgaria, State Bank of India, Tata Consultancy Services and TINE.

IBM reported there is no evidence the vulnerability has been exploited in the wild, but urged users to apply the fixes as soon as possible.

Key Topics

Tech, Ibm, Api Connect, Authentication Bypass, Fix Central, Developer Portal