<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>API Connect (12.1.0.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/api-connect-12.1.0.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 16:25:27 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/api-connect-12.1.0.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-3144 - IBM API Connect Default Credentials Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-ibm-api-connect-default-creds/</link><pubDate>Wed, 08 Jul 2026 16:25:27 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-ibm-api-connect-default-creds/</guid><description>IBM API Connect versions 12.1.0.0 through 12.1.0.3 are vulnerable to unauthorized access due to the use of default credentials, allowing an attacker to gain initial access to the application before the system enforces a credential update.</description><content:encoded><![CDATA[<p>IBM has disclosed CVE-2026-3144, affecting IBM API Connect versions 12.1.0.0 through 12.1.0.3. This critical vulnerability stems from the application's use of default credentials, which attackers can leverage to gain unauthorized access. The issue allows threat actors to bypass authentication mechanisms before the system enforces a mandatory credential update. This provides a straightforward initial access vector, enabling adversaries to potentially control API configurations, access sensitive data, or establish further persistence within compromised environments. Organizations utilizing the affected versions should prioritize immediate remediation to prevent unauthorized exploitation and mitigate the risk of severe operational and data security impacts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker conducts reconnaissance to identify internet-facing IBM API Connect instances within versions 12.1.0.0 through 12.1.0.3.</li>
<li>Attacker attempts to authenticate to the identified API Connect management interface (e.g., via the login endpoint) using commonly known default usernames and passwords (e.g., 'admin'/'admin', 'user'/'password').</li>
<li>Due to the vulnerability (CWE-1392), the application successfully authenticates the attacker using the hardcoded or easily guessable default credentials.</li>
<li>Attacker gains full unauthorized access to the IBM API Connect management console and its functionalities, inheriting privileges associated with the default account.</li>
<li>Attacker performs actions such as modifying API definitions, creating new APIs, or accessing API analytics and sensitive configuration data.</li>
<li>The unauthorized access could enable sensitive data exposure, API manipulation, or the establishment of a foothold for lateral movement into connected internal systems.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Exploitation of CVE-2026-3144 grants an unauthenticated attacker high privileges over the IBM API Connect platform, as indicated by its CVSS 3.1 score of 8.1. If successfully exploited, adversaries can gain complete control over API management, potentially leading to widespread disruption of services, unauthorized data access or exfiltration, and the creation of backdoors for future access. Organizations managing critical business APIs via affected versions face significant risks, including reputational damage, compliance failures, and severe operational interruptions if their API infrastructure is compromised. The vulnerability applies to any organization using the specified versions of IBM API Connect.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately apply patches or upgrade IBM API Connect to a version that remediates CVE-2026-3144 as per the vendor advisory <code>https://www.ibm.com/support/pages/node/7278909</code>.</li>
<li>Ensure all default credentials for IBM API Connect instances are changed to strong, unique passwords immediately upon deployment and configuration.</li>
<li>Implement robust monitoring for all authentication attempts, specifically looking for successful logins by default or newly created privileged accounts from unusual source IP addresses or locations within your webserver category logs.</li>
<li>Review access logs for the IBM API Connect management interface (from your webserver logs) for suspicious login patterns or unauthorized API manipulation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability-exploitation</category><category>default-credentials</category><category>ibm</category><category>api-connect</category><category>initial-access</category></item><item><title>Unauthenticated SQL Injection in IBM API Connect (CVE-2026-9074)</title><link>https://feed.craftedsignal.io/briefs/2026-07-ibm-api-connect-sqli/</link><pubDate>Wed, 08 Jul 2026 16:24:32 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-ibm-api-connect-sqli/</guid><description>IBM API Connect versions 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 are vulnerable to an unauthenticated SQL injection (CVE-2026-9074) in the password reset functionality, potentially leading to unauthorized data access or authentication bypass.</description><content:encoded><![CDATA[<p>A critical unauthenticated SQL injection vulnerability, tracked as CVE-2026-9074 (CVSS v3.1 Base Score: 9.1), affects IBM API Connect versions 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3. This flaw resides within the password reset functionality of the API management platform, allowing a remote attacker to inject malicious SQL queries without requiring any prior authentication. Successful exploitation of this vulnerability could enable an attacker to bypass authentication mechanisms, gain unauthorized access to sensitive database information, or potentially manipulate data, posing a significant risk to the integrity and confidentiality of the affected systems and user accounts. Organizations utilizing the specified vulnerable versions of IBM API Connect are strongly urged to apply the available patches immediately to mitigate this severe risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies an exposed IBM API Connect instance running a vulnerable version (10.0.8.0-10.0.8.9 or 12.1.0.0-12.1.0.3).</li>
<li>The attacker accesses the publicly available password reset functionality of the IBM API Connect web interface.</li>
<li>The attacker crafts and submits a specially malformed request to the password reset endpoint, embedding SQL injection payloads within input fields or parameters that are processed by the application's backend database.</li>
<li>The vulnerable application processes the malicious input without proper sanitization, leading to the execution of the attacker's arbitrary SQL commands within the database.</li>
<li>Depending on the crafted payload, the attacker might retrieve sensitive information from the database (e.g., user credentials, API keys) or bypass authentication to gain unauthorized access to user accounts.</li>
<li>Upon successful data exfiltration or authentication bypass, the attacker can leverage the compromised credentials or access tokens for further malicious activities within the API Connect environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-9074 can lead to severe consequences for organizations. Due to the unauthenticated nature of the vulnerability, any attacker can initiate the exploitation. The primary impacts include unauthorized access to sensitive data stored in the backend database, such as user account details, API configurations, or other critical system information. Attackers could also achieve authentication bypass, gaining full control over administrative or user accounts within the IBM API Connect instance. This could lead to further compromise of managed APIs, data exfiltration, service disruption, or unauthorized modification of system settings, severely compromising the confidentiality and integrity of the API management platform and the services it exposes.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-9074 immediately by updating IBM API Connect to a fixed version beyond 10.0.8.9 or 12.1.0.3, as described in the IBM support advisories referenced.</li>
<li>Deploy the Sigma rule &quot;Detect CVE-2026-9074 Exploitation Attempt - IBM API Connect SQL Injection&quot; to your SIEM and tune for your environment to detect attempts against the password reset functionality.</li>
<li>Monitor web server logs for suspicious requests to password reset endpoints containing common SQL injection patterns.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>sql-injection</category><category>web-vulnerability</category><category>critical-vulnerability</category><category>api-management</category></item></channel></rss>