CVE-2025-13915
Authentication Bypass in IBM API Connect 10.0.8.x and
Publication date: 2025-12-26
Last updated on: 2025-12-26
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | api_connect | 10.0.8.5 |
| ibm | api_connect | 10.0.8.0 |
| ibm | api_connect | 10.0.11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in IBM API Connect versions 10.0.8.0 through 10.0.8.5, and 10.0.11.0 allows a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to the application, potentially allowing attackers to compromise confidentiality, integrity, and availability of the system and its data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
IBM strongly recommends upgrading to remediated versions of IBM API Connect to address the vulnerability. Specific interim fixes (iFix) are available for each affected version, with download and installation instructions provided via IBM support links. For customers unable to apply the fixes immediately, IBM advises disabling the self-service sign-up feature on the Developer Portal to reduce exposure. [1]