iBM has released updates for a critical authentication bypass vulnerability in its API Connect tool. 

The company disclosed the bug (CVE-2025-13915) on Dec. 25, warning that it is remotely exploitable and can give an attacker the ability to gain access to a target app without authentication. IBM published updates for the affected versions of API Connect on Jan. 2., and urged organizations to update affected versions as soon as possible. 

API Connect is a tool that organizations use to manage, create, and secure APIs across platforms. The affected versions include 10.0.8.0-10.0.8.5. 

High-Impact Remote Exploitation

The vulnerability is particularly dangerous because it could allow a remote attacker to gain unauthorized access to affected systems without needing valid credentials. IBM said in its advisory that the flaw was identified through internal testing, noting that the weakness is an implementation error that allows for authentication mechanisms to be bypassed. Auth bypass vulnerabilities can be  especially dangerous for enterprises, and IBM urged companies that can’t upgrade immediately to apply mitigations. 

“Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal if enabled, which will help minimise their exposure to this vulnerability,” the advisory says. 

Although the vulnerability is potentially quite concerning, there have not been any reports of active exploitation yet. 

  • Recent Posts

  • Recent Comments

    No comments to show.