CVE-2025-13915: Critical Authentication Bypass in IBM API Connect

CVE-2025-13915 is a critical authentication bypass vulnerability in IBM API Connect, a widely deployed enterprise API management and gateway platform used by organizations in banking, healthcare, telecom, and retail. Tracked with a CVSS score of 9.8, this flaw allows remote attackers to circumvent authentication controls without valid credentials or user interaction, posing a severe threat to API security and backend systems.

The underlying issue stems from improper validation of authentication tokens during API request processing, allowing attackers to craft specially formed requests that are erroneously accepted as authenticated. Successful exploitation could lead not only to unauthorized access to protected APIs, but also to system configuration manipulation, theft of API credentials or OAuth tokens, and unauthorized access to downstream services, effectively compromising an organization’s entire API ecosystem.

Affected versions include IBM API Connect 10.0.8.0 through 10.0.8.5 and 10.0.11.0 in both on-premises and cloud deployments. Although there have been no confirmed reports of widespread exploitation in the wild, documented concerns from multiple national CERTs and moderate EPSS risk scores indicate that exploitation is likely once public details circulate.

Mitigation steps include applying IBM’s interim fixes (iFixes), disabling self-service sign-ups on developer portals, tightening access control and MFA enforcement, and monitoring authentication traffic for anomalies.