The Open Door Policy: Smashing IBM API Connect for Instant Admin Access

Amit Schendel

Senior Security Researcher

Jan 1, 2026·6 min read·10 visits

No Known Exploit

Executive Summary (TL;DR)

IBM API Connect has a CVSS 9.8 hole in its Developer Portal. If 'self-service sign-up' is enabled, the authentication logic fails to properly validate user creation requests. This allows remote attackers to bypass identity verification entirely, potentially registering as administrators or hijacking existing accounts without credentials. IBM has released iFixes; immediate patching or disabling sign-up is required.

A critical authentication bypass in IBM API Connect's Developer Portal allows unauthenticated attackers to hijack accounts or create admin users simply by manipulating the self-service sign-up flow.

Attack Flow Diagram

Official Patches

IBMIBM Security Bulletin: Vulnerability in API Connect Developer Portal (CVE-2025-13915)

Technical Appendix

CVSS Score

9.8/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.37%

Top 100% most exploited

Affected Systems

IBM API Connect V10.0.8.0 - V10.0.8.5IBM API Connect V10.0.11.0IBM API Connect Developer Portal

Affected Versions Detail

Product	Affected Versions	Fixed Version
IBM API Connect IBM	10.0.8.0 - 10.0.8.5	10.0.8.5-iFix
IBM API Connect IBM	10.0.11.0	10.0.11.0-iFix

Attribute	Detail
CWE	CWE-305 (Authentication Bypass)
CVSS v3.1	9.8 (Critical)
Attack Vector	Network (Remote)
Privileges Required	None
EPSS Score	0.37% (Low/Emerging)
Exploit Status	No Public PoC / Internal Discovery

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application

Initial Access

T1078Valid Accounts

Persistence

CWE-305

Authentication Bypass

Authentication Bypass by Primary Weakness

Vulnerability Timeline

IBM publishes Security Bulletin

2025-02-13

CVE-2025-13915 Assigned

2025-02-13