CVE-2025-13915
The Open Door Policy: Smashing IBM API Connect for Instant Admin Access
Amit Schendel
Senior Security ResearcherJan 1, 2026·6 min read·34 visits
Executive Summary (TL;DR)
IBM API Connect has a CVSS 9.8 hole in its Developer Portal. If 'self-service sign-up' is enabled, the authentication logic fails to properly validate user creation requests. This allows remote attackers to bypass identity verification entirely, potentially registering as administrators or hijacking existing accounts without credentials. IBM has released iFixes; immediate patching or disabling sign-up is required.
A critical authentication bypass in IBM API Connect's Developer Portal allows unauthenticated attackers to hijack accounts or create admin users simply by manipulating the self-service sign-up flow.
Technical Appendix
CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS Probability
0.37%
Top 100% most exploited
Affected Systems
IBM API Connect V10.0.8.0 - V10.0.8.5IBM API Connect V10.0.11.0IBM API Connect Developer Portal
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
IBM API Connect IBM | 10.0.8.0 - 10.0.8.5 | 10.0.8.5-iFix |
IBM API Connect IBM | 10.0.11.0 | 10.0.11.0-iFix |
| Attribute | Detail |
|---|---|
| CWE | CWE-305 (Authentication Bypass) |
| CVSS v3.1 | 9.8 (Critical) |
| Attack Vector | Network (Remote) |
| Privileges Required | None |
| EPSS Score | 0.37% (Low/Emerging) |
| Exploit Status | No Public PoC / Internal Discovery |
MITRE ATT&CK Mapping
CWE-305
Authentication Bypass
Authentication Bypass by Primary Weakness
Vulnerability Timeline
IBM publishes Security Bulletin
2025-02-13
CVE-2025-13915 Assigned
2025-02-13
