Discovered during internal testing, the flaw poses a significant risk to organizations relying on the platform for API management. It grants unauthorized actors access to the application without requiring valid credentials.
The vulnerability, tracked as CVE-2025-13915, has been assigned a critical CVSS base score of 9.8 out of 10. This near-maximum score reflects the ease of exploitation and the high impact on confidentiality, integrity, and availability.
The flaw is classified under CWE-305, which refers to an “Authentication Bypass by Primary Weakness.” According to the advisory, the issue allows a remote attacker to circumvent the login process entirely.
Because the attack vector is network-based (AV: N) and requires no special privileges (PR: N) or user interaction (UI: N), the risk of automated or widespread exploitation is high.
The vulnerability impacts specific versions of IBM API Connect. Administrators are urged to check their deployments for the following versions:
| Product | Affected Versions |
|---|---|
| IBM API Connect V10.0.8 | Versions 10.0.8.0 through 10.0.8.5 |
| IBM API Connect V10.0.11 | Version 10.0.11.0 |
IBM strongly recommends that all affected customers upgrade immediately to the patched versions. The company has released iFixes for the affected release ranges.
| Product Version | Fix Availability |
|---|---|
| IBM API Connect V10.0.8 | Patches available for versions 10.0.8.1 through 10.0.8.5 |
| IBM API Connect V10.0.11 | iFix available for version 10.0.11 |
For organizations that cannot immediately apply the patch, IBM has provided a temporary mitigation. Administrators should disable self-service sign-up on their Developer Portal if it is currently enabled.
While this does not fix the underlying code flaw, it helps minimize the attack surface and reduces exposure to this specific vulnerability until the permanent fix can be deployed.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical IBM API Connect Vulnerability Let Attackers Bypass Logins appeared first on Cyber Security News.
Bungie has finally revealed Marathon’s premium currency, called LUX, while promising it can’t be used…
Castlevania: Belmont's Curse — announced at Sony's State of Play showcase last month as part…
A crowd of protesters boos House Majority Leader William Lamberth during a Wednesday committee meeting…
Senate Minority Leader Chuck Schumer, D-N.Y., speaks with reporters during a press conference in the…
Sen. Bo Watson, in bow tie, is expected to be a leading contender to succeed…
Crisis pregnancy centers have been the beneficiary of at least a half-billion dollars since the…
This website uses cookies.