IBM has warned customers to urgently patch a critical security flaw in its API Connect platform that could let attackers access applications without logging in.
API Connect is an enterprise API gateway that helps organizations build, test, and manage APIs while controlling access to internal services. It is widely used across industries such as banking, healthcare, retail, and telecommunications, and supports on-premises, cloud, and hybrid environments.
The vulnerability, tracked as CVE 2025 13915, has a very high severity score of 9.8 out of 10. It affects IBM API Connect versions 10.0.11.0 and versions from 10.0.8.0 to 10.0.8.5. If exploited, the flaw allows unauthenticated attackers to bypass security checks and remotely access exposed applications. The attack is considered low complexity and does not require any user interaction.
IBM has advised system administrators to upgrade affected installations to the latest available version as soon as possible. According to the company, applying the update is the most effective way to block potential attacks. For customers who cannot immediately install the fix, IBM recommends disabling the self service sign up feature on the Developer Portal if it is enabled. This temporary step can help reduce exposure until the update is applied.
The company has also shared detailed guidance on how to apply the security patch in VMware, OpenShift, and Kubernetes environments through its official support documentation.
This warning comes as U.S. cybersecurity authorities continue to highlight risks linked to unpatched IBM products. Over the past several years, the Cybersecurity and Infrastructure Security Agency has added multiple IBM vulnerabilities to its known exploited vulnerabilities catalog. Some of these flaws were actively used in real world attacks, including ransomware campaigns.
Notably, security issues in IBM Aspera Faspex and IBM InfoSphere BigInsights were previously confirmed by U.S. authorities as being exploited by ransomware operators. These cases underline the importance of applying security updates quickly to prevent similar attacks.
IBM customers using API Connect are strongly encouraged to review their systems and take action immediately to avoid unauthorized access and potential data breaches.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
