IBM warns of critical API Connect auth bypass vulnerability

Published:

31 december 2025 om 10:34:38

Alert date:

31 december 2025 om 11:02:10

Source:

bleepingcomputer.com

Enterprise Applications, Identity & Access, Zero-Day Vulnerabilities

IBM has issued a critical security warning for its API Connect enterprise platform, urging customers to apply patches for an authentication bypass vulnerability. The flaw could allow remote attackers to access applications without proper authentication. This represents a significant security risk for organizations using IBM's API Connect platform for managing their API infrastructure. The vulnerability affects the authentication mechanisms of the platform, potentially compromising the security of connected applications and services.

Technical details

Critical authentication bypass vulnerability in IBM API Connect with severity rating 9.8/10. Allows unauthenticated threat actors to remotely access exposed applications by circumventing authentication mechanisms in low-complexity attacks that don't require user interaction. The vulnerability enables remote attackers to bypass authentication and gain unauthorized access to applications.

Mitigation steps:

Upgrade vulnerable IBM API Connect installations to the latest release immediately. For customers unable to install the interim fix, disable self-service sign-up on the Developer Portal if enabled to minimize exposure. Apply patches following detailed instructions for VMware, OCP, and Kubernetes environments as provided in IBM support documentation.

Affected products:

IBM API Connect version 10.0.11.0
IBM API Connect versions 10.0.8.0 through 10.0.8.5