CVE-2025-13915: Critical Authentication Bypass in IBM API Connect

IBM has disclosed a critical security vulnerability in its API Connect platform that could allow attackers to bypass authentication and gain unauthorized access to the

application.

API Connect is commonly used by large organizations to build, manage, and secure APIs across cloud and on-prem environments, which increases the potential impact of this vulnerability.

The issue, tracked as CVE-2025-13915, has a CVSS score of 9.8, placing it in the critical severity range. According to IBM, the flaw is an authentication bypass that could be exploited remotely, allowing attackers to access API Connect without valid credentials.

The vulnerability affects API Connect versions 10.0.8.0 through 10.0.8.5, as well as version 10.0.11.0.

IBM has released an interim fix through Fix Central and advises customers to apply the patch based on their specific API Connect version. As a temporary mitigation, organizations that cannot immediately install the fix are advised to disable self-service sign-up on the Developer Portal to reduce exposure.

The disclosure and remediation details have also been discussed within the security community, including coverage on Hacker News, highlighting ongoing concerns around high-severity authentication bypass vulnerabilities in enterprise platforms.

At the time of disclosure, there is no public evidence that the flaw is being actively exploited, but given the severity score, applying the fix should be treated as a priority.