Critical Security Flaw in IBM App Connect Addressed with Updated Patch

IBM has addressed a significant security vulnerability within its App Connect Enterprise software, aimed at facilitating application integration. The flaw allowed potential attackers to inject malicious code onto users' systems, posing a serious risk to affected devices.

This vulnerability, identified as CVE-2025-1302, has been classified as critical due to its impact on the jsonpath-plus module, which is responsible for processing JSON configurations. Insufficient input validation created an opportunity for attackers to exploit the system with crafted requests, ultimately enabling them to execute harmful code.

The issue first came to light in December 2024, under the identifier CVE-2024-21534. However, the initial patch released by IBM was found to be ineffective, leaving systems inadequately protected. In light of this, IBM has recently issued a revised patch that effectively addresses the vulnerability.

According to the developers, the vulnerabilities have now been resolved in the versions 12.0.12.12 APAR IT47820 and 13.0.3.0 APAR IT47820. Alongside the critical flaw, an additional medium-severity vulnerability, designated CVE-2025-24791, was also rectified. This particular issue allowed attackers to bypass access controls.

As of now, there have been no confirmed reports of the vulnerability being actively exploited in the wild, but users are advised to apply the updated patches promptly to mitigate any potential risks.