Two vulnerabilities in IBM API Connect and Fortinet FortiGate devices are drawing attention to persistent flaws in enterprise authentication controls, particularly where identity systems interact with external directories.
IBM recently disclosed a critical authentication bypass vulnerability in IBM API Connect, tracked as CVE-2025-13915, following internal testing. According to the tech giant, the flaw could allow a remote, unauthenticated attacker to gain full access to affected API management environments, creating a serious risk to exposed enterprise integrations. The vulnerability carries a CVSS base score of 9.8.
The issue affects IBM API Connect versions 10.0.8.0 through 10.0.8.5 and version 10.0.11. IBM advised customers to apply the relevant interim fixes or upgrade immediately.
“Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal if enabled, which will help minimise their exposure to this vulnerability,” IBM warned in their advisory.
Fortinet Observes In-the-Wild Abuse of Legacy LDAP Authentication Weakness
Separately, Fortinet reported active abuse of a long-standing FortiGate authentication flaw originally disclosed in July 2020 as FG-IR-19-283 (CVE-2020-12812).
The issue, which comes weeks after another Fortinet flaw was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, stems from inconsistent handling of username case sensitivity between FortiGate systems and Lightweight Directory Access Protocol (LDAP) directories.
In some configurations, attackers are able to bypass two-factor authentication (2FA) by altering the capitalization of a username, causing FortiGate to fall back to less restrictive LDAP group policies. This technique can allow administrative or Virtual Private Network (VPN) access without multi-factor checks.
Fortinet noted that configuration-based mitigations were introduced in FortiOS versions starting with 6.0.10. Administrators are advised to disable the case sensitivity feature for usernames and remove unnecessary secondary LDAP authentication groups.
Together, the two disclosures reinforce a familiar lesson for security leaders: authentication weaknesses, whether newly discovered or long-known, remain a primary path to enterprise compromise when patches and configurations lag behind vendor guidance.
