IBM warns of critical API Connect bug enabling remote access

AndyC 3 January 2026

IBM warns of critical API Connect bug enabling remote access

IBM warns of critical API Connect bug enabling remote access

IBM warns of critical API Connect bug enabling remote access

IBM warns of critical API Connect bug enabling remote access

Pierluigi Paganini
January 02, 2026

IBM disclosed a critical API Connect flaw (CVE-2025-13915, CVSS 9.8) that allows remote access via an authentication bypass.

IBM addressed a critical API Connect vulnerability, tracked as CVE-2025-13915 (CVSS score of 9.8) that allows remote access via an authentication bypass.

API Connect is IBM’s API management platform. It’s used by organizations to create, secure, manage, publish, and monitor APIs across their environments.

The vulnerability is a potential authentication bypass in IBM API Connect that was discovered during internal testing.

“IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.” reads the advisory.

The flaw impacts the following products and versions:

Affected Product(s) Version(s)
API Connect V10.0.8.0-V10.0.8.5
API Connect V10.0.11.0

As a workaround, customers who cannot apply the interim fix should disable self-service sign-up on the Developer Portal to reduce exposure to the vulnerability.

At this time, there is no evidence of active exploitation. Users are strongly advised to apply the fixes promptly to ensure protection.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IBM)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , , ,

More Stories

Covenant Health data breach after ransomware attack impacted over 478,000 people

Covenant Health data breach after ransomware attack impacted over 478,000 people

AndyC 3 January 2026
The Kimwolf Botnet is Stalking Your Local Network

The Kimwolf Botnet is Stalking Your Local Network

AndyC 3 January 2026
Phishing campaign abuses Google Cloud Application to impersonate legitimate Google emails

Phishing campaign abuses Google Cloud Application to impersonate legitimate Google emails

AndyC 3 January 2026
Trust Wallet confirms second Shai-Hulud supply-chain attack, .5M in crypto stolen

Trust Wallet confirms second Shai-Hulud supply-chain attack, $8.5M in crypto stolen

AndyC 2 January 2026
React2Shell under attack: RondoDox Botnet spreads miners and malware

React2Shell under attack: RondoDox Botnet spreads miners and malware

AndyC 2 January 2026
ESA disclosed a data breach, hackers breached external servers

ESA disclosed a data breach, hackers breached external servers

AndyC 1 January 2026

You may have missed

Covenant Health data breach after ransomware attack impacted over 478,000 people

Covenant Health data breach after ransomware attack impacted over 478,000 people

AndyC 3 January 2026
The Kimwolf Botnet is Stalking Your Local Network

The Kimwolf Botnet is Stalking Your Local Network

AndyC 3 January 2026
Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia

Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia

AndyC 3 January 2026

Hacker Claims 200GB Data Theft From European Space Agency — Here’s What We Know

AndyC 3 January 2026
Best of 2025: Huge Food Wholesaler Paralyzed by Hack — is it Scattered Spider Again?

Best of 2025: Huge Food Wholesaler Paralyzed by Hack — is it Scattered Spider Again?

AndyC 3 January 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.