top of page
Search

IBM Warns of Critical API Connect Bug Allowing Remote Authentication Bypass

  • Dec 31
  • 2 min read

Key Findings


  • IBM disclosed a critical vulnerability (CVE-2025-13915) in its API Connect product that allows remote attackers to bypass authentication and gain unauthorized access.

  • The vulnerability has a CVSS score of 9.8, indicating a severe and high-risk flaw.

  • The issue affects versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0 of IBM API Connect.


Background


IBM API Connect is an end-to-end API management solution used by organizations to create, test, manage, and secure APIs hosted on cloud and on-premises environments. It is utilized by companies like Axis Bank, Bankart, Etihad Airways, Finologee, IBS Bulgaria, State Bank of India, Tata Consultancy Services, and TINE.


Vulnerability Details


  • The vulnerability is an authentication bypass flaw that could allow remote attackers to gain unauthorized access to the API Connect application.

  • IBM stated that "IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application."

  • The issue is present in versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0 of IBM API Connect.


Mitigation and Remediation


  • IBM has provided an interim fix that customers can download from Fix Central.

  • The fix includes a Readme.md file and an ibm-apiconnect-<version>-ifix.13195.tar.gz package that users must extract and apply based on their API Connect version.

  • Customers unable to install the interim fix are advised to disable self-service sign-up on their Developer Portal, if enabled, to minimize their exposure to this vulnerability.


Conclusion


  • The critical vulnerability in IBM API Connect could have severe consequences, allowing remote attackers to bypass authentication and gain unauthorized access to the application.

  • IBM has released an interim fix, and customers are advised to apply the update as soon as possible to protect their systems and data.

  • While there is no evidence of the vulnerability being actively exploited in the wild, users should remain vigilant and follow IBM's recommended mitigation steps to ensure the security of their API infrastructure.


Sources


  • https://thehackernews.com/2025/12/ibm-warns-of-critical-api-connect-bug.html

  • https://securityonline.info/hijacked-mobility-cisa-warns-of-critical-9-8-flaw-allowing-remote-control-of-whill-power-chairs/

  • https://www.instagram.com/p/DS7xrOhDwNy/

  • https://www.reddit.com/r/SecOpsDaily/comments/1q0dpup/ibm_warns_of_critical_api_connect_bug_allowing/

  • https://x.com/TheCyberSecHub/status/2006363351706902546

  • https://www.linkedin.com/pulse/ibm-issues-urgent-warning-over-critical-api-connect-fa49e

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page