CVE-2025-13915

Published Dec 26, 2025

Last updated 4 months ago

CVSS critical 9.8
IBM API Connect
API

Overview

Description
IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
Source
psirt@us.ibm.com
NVD status
Analyzed
Products
api_connect

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

psirt@us.ibm.com
CWE-305

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #APIConnect CVE-2025-13915: Critical 9.8 Flaw in IBM API Connect Lets Attackers Bypass Login https://t.co/qit9R1pNZW

    @Komodosec

    2 Feb 2026

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 IBM API Connect [—] Jan 12, 2026 Critical Security Advisory: Authentication Bypass Vulnerability (CVE-2025-13915) Targets Multiple Versions of IBM API Connect, Urgent Patch Recommended Checkout our Threat Intelligence Platform: https://t.co/QuwNtEgYh1... https://t.co/1cdOq

    @transilienceai

    12 Jan 2026

    64 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 IBM API Connect [—] Jan 10, 2026 Critical Security Advisory: Authentication Bypass Vulnerability (CVE-2025-13915) with Affected Version Summary, Risk Assessment, and Recommended Remediation Actions. Checkout our Threat Intelligence Platform:... https://t.co/RNffE38hhZ

    @transilienceai

    10 Jan 2026

    68 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 IBM API Connect [—] Jan 08, 2026 Comprehensive Security Advisory on the Critical Authentication Bypass Vulnerability (CVE-2025-13915) affecting IBM API Connect. Immediate action is required to mitigate risks from recent disclosures. Checkout our Threat Intelligence https:/

    @transilienceai

    8 Jan 2026

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. IBM API Connect is affected by a critical authentication bypass vulnerability (CVE-2025-13915), allowing remote attackers to access applications without credentials. Update affected versions (10.0.8.0-10.0.8.5, 10.0.11.0) with IBM iFixes now. Read more: https://t.co/aILsWO937b h

    @wazuh

    6 Jan 2026

    270 Impressions

    3 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Singapore Cyber Agency Warns of Critical IBM API Connect #Vulnerability (CVE-2025-13915)  https://t.co/uRufAttwDA https://t.co/GZE6PfHVOh

    @evanderburg

    6 Jan 2026

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. IBM has disclosed a critical authentication bypass vulnerability (CVE-2025-13915, CVSS 9.8) in API Connect versions 10.0.8.0 to 10.0.8.5 & 10.0.11.0. Remote attackers can exploit it to gain unauthorized access. Patch immediately! #Cy

    @bigmacd16684

    5 Jan 2026

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. ⚠️ Vulnerabilidad en productos IBM ❗ CVE-2025-13915 ➡️ Más info: https://t.co/HTR71pDcZg https://t.co/Lw2Ma1azuI

    @CERTpy

    5 Jan 2026

    247 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. A critical flaw in IBM API Connect (CVE-2025-13915) allows remote attackers to bypass authentication and access sensitive data. Interim fixes released for versions 10.0.8.0 to 10.0.8.5. #AuthBypass #IBM #USA https://t.co/UAlNeX6BFY

    @TweetThreatNews

    5 Jan 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 IBM API Connect [—] Jan 05, 2026 Critical vulnerability report covering CVE-2025-13915 in IBM API Connect, focusing on symptoms, business risks, affected versions, urgent remediation strategies, and vendor advisories from the past 10 days. Checkout our Threat Intelligence.

    @transilienceai

    5 Jan 2026

    93 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. IBM API Connect CVE-2025-13915: Critical Authentication Bypass Affecting Enterprise API Gateways at Major Financial and Telecom Organizations - https://t.co/kN9fk2MpBO

    @Cyberwarzonecom

    3 Jan 2026

    119 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. IBM discloses a critical CVSS 9.8 flaw (CVE-2025-13915) in API Connect. Also, cybercriminals are abusing Google Cloud's email feature in a multi-stage phishing campaign. (Source: The Hacker News, Jan 2026).

    @AnonNews_irc

    3 Jan 2026

    116 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. URGENT: Critical vulnerabilities hit DFAT, IBM API Connect & MongoDB. From "MongoBleed" to AI code injection, Australian digital ecosystems are under siege. Is your organization patched against CVE-2025-13915? Read more: https://t.co/HAGINHTWYo #CyberSecurity #InfoSec #Aus

    @LeanSecAU

    3 Jan 2026

    116 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Latest: 10,000+ Fortinet firewalls exposed to old MFA bypass (CVE-2020-12812). IBM disclosed critical API Connect auth bypass (CVE-2025-13915, CVSS 9.8). Pebble resurrected its round smartwatch, and Samsung launched the Freestyle+ AI projector.

    @AnonNews_irc

    2 Jan 2026

    112 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2025-13915 Auth bypass found. IBM promises patch. Friday. Of course. CVSS high. "Critical," they declared late. Update your resume. API Connect. Authentication? None. Enterprise dreams. https://t.co/5bUxFvMh1A

    @gothburz

    2 Jan 2026

    2625 Impressions

    3 Retweets

    25 Likes

    1 Bookmark

    6 Replies

    2 Quotes

  16. Critical Alert: IBM API Connect is affected by a CVSS 9.8 authentication bypass vulnerability (CVE-2025-13915). Remote attackers can gain unauthorized access to affected versions 10.0.8.x and 10.0.11.0. Patch immediately. Read more: https://t.co/apgdvuUyM5 #CyberSecurity

    @socradar

    2 Jan 2026

    166 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  17. IBM disclosed a critical vulnerability in API Connect, tracked as CVE-2025-13915, rated 9.8 on the CVSS scale. This authentication bypass flaw allows remote attackers unauthorized access to the application. Affected versions include 10.0.8.0 to 10.0.8. https://t.co/834C2rgbim

    @securityRSS

    2 Jan 2026

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨Upozorňujeme na kritickou zranitelnost v IBM API Connect, CVE-2025-13915. Tato zranitelnost umožňuje neautentizovaným vzdáleným útočníkům kompletně obejít přihlašovací mechanismy a získat neoprávněný přístup k postiženým systémům. Zranitelnost předst

    @GOVCERT_CZ

    2 Jan 2026

    273 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. IBM API Connect users: Immediate action is required. ​A critical Authentication Bypass vulnerability with a CVSS score of 9.8/10 has been disclosed. Attackers can gain unauthorized access without credentials. ​CVE: CVE-2025-13915 Patch NOW ​#CyberSecurity #InfoSec #APIConne

    @ACCESSYSTEM_IT

    2 Jan 2026

    87 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Why CVE-2025-13915 in IBM API Connect is a Wake-Up Call for Inherited Trust. Read the full report on - https://t.co/9tFLO81v5L https://t.co/4AplaCrd6y

    @cyberbivash

    1 Jan 2026

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🔹 تفاصيل الإصلاحات المتاحة لثغرة CVE-2025-13915 في IBM API Connect: •الإصلاح الرئيسي: أصدرت IBM تحديثات مؤقتة (interim fixes أو iFixes) لجميع الإصدارات المتأثرة. يُوصى بشدة بتطب

    @GMashari

    1 Jan 2026

    78 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🚨 ثغرة حرجة في IBM API Connect (CVE-2025-13915) 🔹 شركة IBM حذّرت من ثغرة أمنية خطيرة في منصة IBM API Connect، وهي منصة تُستخدم لإدارة واجهات البرمجة (APIs) داخل المؤسسات الكبيرة و

    @GMashari

    1 Jan 2026

    85 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. IBM warns of critical API Connect auth bypass vulnerability (CVE-2025-13915) https://t.co/8PLFZiOsl7 #patchmanagement

    @eyalestrin

    1 Jan 2026

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 🚨⚠️ Critical security flaw in IBM API Connect! Attackers could gain remote access 👾 CVE-2025-13915 scored 9.8 🛡️ #CyberSecurity #IBM #APISecurity Find out more: https://t.co/OayxOVLsLd

    @HackingRabbitS

    1 Jan 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. CVE-2025-13915 poses a severe risk with its authentication bypass in IBM API Connect! Don't miss our detailed analysis to understand the implications and how to mitigate risks. Read more here: https://t.co/kEf79g2dW0 #CVE #APISecurity

    @Smart_NFT2

    1 Jan 2026

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. IBM révèle une faille critique dans API Connect (CVE-2025-13915, score 9.8/10) permettant un contournement d'authentification. Risque élevé d'accès distant non autorisé. #Cybersecurity #Vulnerability https://t.co/TZskU1FDhF @TheHackersNews

    @cyberwatcher_

    1 Jan 2026

    88 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 🚨 ثغرة حرجة في IBM API Connect (CVE-2025-13915) 🔹 شركة IBM حذّرت من ثغرة أمنية خطيرة في منصة IBM API Connect، وهي منصة تُستخدم لإدارة واجهات البرمجة (APIs) داخل المؤسسات الكبيرة

    @xabdul

    31 Dec 2025

    2292 Impressions

    4 Retweets

    18 Likes

    15 Bookmarks

    0 Replies

    0 Quotes

  28. IBM révèle une faille critique dans API Connect (CVE-2025-13915, score CVSS 9.8) permettant un contournement d'authentification. Risque d'accès distant non autorisé. #Cybersecurity #Vulnerability https://t.co/TZskU1FDhF @TheHackersNews

    @cyberwatcher_

    31 Dec 2025

    84 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. IBM révèle une faille critique dans API Connect (CVE-2025-13915, score CVSS 9.8) permettant un contournement d'authentification. Risque d'accès distant. #Cybersecurity #Vulnerability https://t.co/TZskU1FDhF @TheHackersNews

    @cyberwatcher_

    31 Dec 2025

    70 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. #IBM is warning that a critical CVE-2025-13915 flaw in API Connect, rated 9.8 on the CVSS scale, could let attackers bypass authentication and gain remote access without user interaction. https://t.co/3kj0Kthn2v

    @NetizenCorp

    31 Dec 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. IBM, API Connect platformunda tespit edilen kritik güvenlik açığı için acil yama çağrısı yaptı. CVE-2025-13915 olarak kayıtlı bu açık, saldırganların kimlik doğrulamayı atlayarak uzaktan yetkisiz erişim elde etmesine ve özellikle bankacılık ile sağlık gib

    @maktechhub2025

    31 Dec 2025

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. IBM révèle une faille critique (CVE-2025-13915, score 9.8) dans API Connect, permettant un contournement d'authentification. Risque élevé d'accès distant non autorisé. #Cybersecurity #Vulnerability https://t.co/TZskU1FDhF @TheHackersNews

    @cyberwatcher_

    31 Dec 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. CVE-2025-13915# Why Every Enterprise Using IBM API Connect is Now at Risk of a Total Data Hijack Read the full report on - https://t.co/KRfxbiN55k https://t.co/8DTyKVZCC0

    @cyberbivash

    31 Dec 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. IBM API Connect Hit by CVE-2025-13915 Authentication Bypass Bug #cybersecurity #cyashadotcom #UnitedStates https://t.co/pFD9GioxSm

    @cyashadotcom

    30 Dec 2025

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. 🚨 CRITICAL: IBM API Connect flaw lets attackers bypass authentication (CVE-2025-13915). Versions 10.0.8.0–10.0.8.5 & 10.0.11.0 at risk! Restrict access, monitor logs, and prep for patches. Details: https://t.co/K9cX6Ab3x7... https://t.co/IFnI62muDK

    @offseq

    27 Dec 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. CVE-2025-13915 Authentication Bypass Vulnerability in IBM API Connect 10.0.8.0 t... https://t.co/eRmHRePuZt Vulnerability Alert Subscriptions: https://t.co/hrQhy5uz4x

    @VulmonFeeds

    26 Dec 2025

    92 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  37. [CVE-2025-13915: CRITICAL] IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.#cve,CVE-2025-13915,#cybersecurity https://t.co/z7iVlZg9Pk https://t.co/3qJdPc8q3y

    @CveFindCom

    26 Dec 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  2. A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.CVE-2026-25197
  3. GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account.CVE-2026-4312
  4. Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9.CVE-2026-4270
  5. OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.CVE-2026-28789

References

Sources include official advisories and independent security research.