A important safety alert relating to a extreme vulnerability within the IBM API Join platform that might permit distant attackers to bypass authentication mechanisms.
Found throughout inside testing, the flaw poses a big danger to organizations counting on the platform for API administration. It grants unauthorized actors entry to the appliance with out requiring legitimate credentials.
The vulnerability, tracked as CVE-2025-13915, has been assigned a important CVSS base rating of 9.8 out of 10. This near-maximum rating displays the benefit of exploitation and the excessive impression on confidentiality, integrity, and availability.
The flaw is assessed below CWE-305, which refers to an “Authentication Bypass by Major Weak spot.” In line with the advisory, the difficulty permits a distant attacker to avoid the login course of solely.
As a result of the assault vector is network-based (AV: N) and requires no particular privileges (PR: N) or consumer interplay (UI: N), the danger of automated or widespread exploitation is excessive.
The vulnerability impacts particular variations of IBM API Join. Directors are urged to verify their deployments for the next variations:
ProductAffected VersionsIBM API Join V10.0.8Versions 10.0.8.0 by means of 10.0.8.5IBM API Join V10.0.11Version 10.0.11.0
IBM strongly recommends that each one affected clients improve instantly to the patched variations. The corporate has launched iFixes for the affected launch ranges.
Product VersionFix AvailabilityIBM API Join V10.0.8Patches out there for variations 10.0.8.1 by means of 10.0.8.5IBM API Join V10.0.11iFix out there for model 10.0.11
For organizations that can’t instantly apply the patch, IBM has supplied a brief mitigation. Directors ought to disable self-service sign-up on their Developer Portal whether it is at the moment enabled.
Whereas this doesn’t repair the underlying code flaw, it helps decrease the assault floor and reduces publicity to this particular vulnerability till the everlasting repair may be deployed.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
