CVE-2025-13915: The Open Door Policy: Smashing IBM API Connect for Instant Admin Access

#security #cve #cybersecurity

The Open Door Policy: Smashing IBM API Connect for Instant Admin Access

Vulnerability ID: CVE-2025-13915
CVSS Score: 9.8
Published: 2025-12-26

A critical authentication bypass in IBM API Connect's Developer Portal allows unauthenticated attackers to hijack accounts or create admin users simply by manipulating the self-service sign-up flow.

TL;DR

IBM API Connect has a CVSS 9.8 hole in its Developer Portal. If 'self-service sign-up' is enabled, the authentication logic fails to properly validate user creation requests. This allows remote attackers to bypass identity verification entirely, potentially registering as administrators or hijacking existing accounts without credentials. IBM has released iFixes; immediate patching or disabling sign-up is required.

Technical Details

CWE: CWE-305 (Authentication Bypass)
CVSS v3.1: 9.8 (Critical)
Attack Vector: Network (Remote)
Privileges Required: None
EPSS Score: 0.37% (Low/Emerging)
Exploit Status: No Public PoC / Internal Discovery

Affected Systems

IBM API Connect V10.0.8.0 - V10.0.8.5
IBM API Connect V10.0.11.0
IBM API Connect Developer Portal
IBM API Connect: 10.0.8.0 - 10.0.8.5 (Fixed in: 10.0.8.5-iFix)
IBM API Connect: 10.0.11.0 (Fixed in: 10.0.11.0-iFix)

Mitigation Strategies

Disable Self-Service Sign-up immediately if patching is delayed.
Restrict network access to the Developer Portal management interfaces.
Implement WAF rules to block registration requests containing suspicious parameters (e.g., 'role', 'admin', 'status').

Remediation Steps:

Identify the current version of IBM API Connect (v10.0.8.x or v10.0.11.0).
Download the corresponding iFix from IBM Support (Node 7255149).
Apply the patch to all Management and Portal subsystems.
Verify the fix by attempting a registration with injected parameters in a test environment.