IBM has alerted its customers to update their systems due to a serious vulnerability in its API Connect platform that could enable attackers to remotely access applications.

API Connect acts as an application programming interface (API) gateway, allowing organizations to create, test, and manage APIs while controlling access to internal services for developers, business partners, and applications.

Offered in on-premises, cloud, or hybrid models, API Connect is utilized by numerous companies across banking, healthcare, retail, and telecommunications industries.

Identified as CVE-2025-13915 with a severity rating of 9.8/10, this authentication bypass vulnerability impacts IBM API Connect versions 10.0.11.0 and from 10.0.8.0 to 10.0.8.5.

If exploited, the flaw allows unauthenticated attackers to gain remote access to exposed applications by bypassing authentication without the need for user interaction, making it a low-complexity attack.

IBM has urged system administrators to upgrade to the latest version to mitigate the risk of attacks and has provided alternative measures for those unable to implement immediate updates.

“IBM API Connect permits remote attackers to circumvent authentication processes, granting unauthorized access to the application. We strongly advise customers to tackle this vulnerability by upgrading promptly,” the company stated. “For those who cannot apply the interim fix, it is recommended to disable self-service sign-up on their Developer Portal to minimize exposure.”

Comprehensive instructions on how to apply the CVE-2025-13915 patch for VMware, OCP, and Kubernetes environments can be found in this support document.

In recent years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has cataloged several IBM security vulnerabilities as known exploits, advising federal agencies to secure their infrastructures as part of Binding Operational Directive (BOD) 22-01.

Two particular vulnerabilities, including a code execution flaw in IBM Aspera Faspex (CVE-2022-47986) and an Invalid Input issue in IBM InfoSphere BigInsights (CVE-2013-3993), have also been recognized by the U.S. cybersecurity agency as being exploited in ransomware incidents.

Issues with IAM are not just an IT concern; they affect your entire organization.

This practical guide outlines the shortcomings of traditional IAM practices, showcases examples of effective IAM solutions, and provides a straightforward checklist for developing a scalable IAM strategy.

Access the guide