What is CVE-2025-13915?

It is a critical authentication bypass vulnerability in IBM API Connect with a CVSS score of 9.8 that allows remote attackers to gain unauthorized access.

Which versions of IBM API Connect are affected?

The vulnerability affects API Connect versions 10.0.8.0 through 10.0.8.5 and version 10.0.11.0.

How can attackers exploit this flaw?

Remote attackers can bypass authentication mechanisms to log in without valid credentials, requiring no complex skills or user interaction.

What is the recommended fix for CVE-2025-13915?

IBM recommends applying the specific interim fixes (iFixes) available on the IBM Support Portal or upgrading to a remediated version immediately.

Is there a temporary workaround if I cannot patch immediately?

Yes, administrators should disable self-service sign-up on the Developer Portal to minimize exposure until the official patch can be applied.

Advisory

IBM patches critical authentication bypass flaw in API Connect

published: Dec. 30, 2025

Take action: If you are using API Connect, this is an urgent and important patch. Patch the system ASAP. Until you can patch, disable the self-service sign-up feature to block attackers from skipping the login. If possible, isolate the API Connect service from the public internet and make it accessible via trusted networks.

Learn More

IBM reports a major flaw in its API Connect platform that allows attackers to skip the login process entirely and break into private systems.

The flaw is tracked as CVE-2025-13915 (CVSS score 9.8), classified as authentication bypass.

Affected versions are:

Version 10.0.8.0 through 10.0.8.5
Version 10.0.11.0

IBM released interim fixes (iFixes) for these versions to stop the threat. Security teams should go to the IBM Support Portal to get the right patches for their system. Upgrading to the latest version is the best way to keep the platform safe from these types of attacks.

IBM advises administrators who can't install the patch immediately to turn off self-service sign-up on the Developer Portal. This stops the primary vector ttackers use to exploit this flaw. Disabling the self-service signup should be considered only a temporary stopgap and the official patch should be applied.

IBM patches critical authentication bypass flaw in API Connect

Read More
Healthcare industry targeted by exploiting ManageEngine vulnerabilities
Ivanti reports another critical vulnerability in Endpoint Manager …
Critical flaw reported in Apache HugeGraph-Server
Atlassian Confluence patches high severity flaw with published …
Critical vulnerability in OpenSSH could expose Remote Code …