A newly disclosed security vulnerability, CVE-2025-13915, affects IBM API Connect. This flaw could allow a remote attacker to bypass authentication and gain unauthorized access to applications. Review this Cybersecurity Threat Advisory for steps to mitigate your risk.
What is the threat?
CVE-2025-13915 carries a CVSS score of 9.8/10, marking it highly critical. It impacts IBM API Connect versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5. API Connect serves as an API gateway for hundreds of organizations across banking, healthcare, retail, and telecom sectors. Exploitation requires minimal effort, no user interaction, and can be executed entirely remotely—granting attackers access to applications exposed via API Connect without valid credentials.
Why is it noteworthy?
This vulnerability enables unauthenticated remote attackers to bypass security controls and gain full access to sensitive API gateways. It essentially acts as a “skeleton key” for backend systems. The flaw undermines a core security assumption in enterprise architecture: that traffic passing through an API gateway is trusted. Classified under CWE-305: Authentication Bypass by Primary Weakness, it highlights a failure to enforce identity verification at a critical point in the application.
What is the exposure or risk?
This flaw could allow remote entities to bypass authentication, potentially allowing attackers to access exposed applications without any user interaction. IBM API Connect is a full lifecycle API gateway for building, testing, managing, securing, and analyzing APIs, with AI-driven capabilities like automated lifecycle tasks and a self-service developer portal.
What are the recommendations?
Barracuda recommends the following actions to secure your systems against this risk:
- Apply the official fix:
- Download the patch from IBM Fix Central.
- Extract the files:
Readme.mdandibm-apiconnect-<version>-ifix.13195.tar.gz. - Apply the fix corresponding to your API Connect version.
- If you cannot apply the fix immediately:
- Disable self-service sign-up on the Developer Portal to reduce exposure.
References
For more in-depth information about the recommendations, please visit the following links:
- Critical vulnerability in IBM API Connect requires quick patch – ITdaily.
- Critical CVSS 9.8 Flaw Found in IBM API Connect Authentication System
- IBM API Connect Exposed to Critical Auth Bypass (CVE-2025-13915)
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.