{“lastseen”:”2025-10-31T12:31:23″,”description”:”Wallarm\u2019s latest Q3 2025 API ThreatStats report [link placeholder] reveals that API vulnerabilities, exploits, and breaches are not just increasing; they\u2019re evolving. \\n\\nMalicious actors are shifting from code-level weaknesses to business logic flaws, from web apps to partner integrations, and from REST to AI-powered APIs.\\n\\nHere\u2019s what stood out this quarter, and what security leaders should do about it.\\n\\n\\n\\n## API Vulnerabilities Surge Again\\n\\nIn Q3 2025, our researchers identified 1,602 API-related vulnerabilities, a 20% increase from Q2. The average severity held steady at a CVSS of 7.4, meaning most flaws remain High or Critical.\\n\\nThe culprits haven\u2019t changed much:\\n\\n * Security Misconfiguration (API8) once again topped the list with 605 cases, up 33% quarter over quarter.\\n * Broken Authorization (API5, API1) accounted for roughly 28% of all API vulnerabilities.\\n * Broken Authentication (API2) climbed sharply, driven by weak credential enforcement in REST and SOAP APIs.\\n\\n\\n\\nDespite greater awareness, the same fundamental issues persist: misconfigurations, insufficient access control, and poor credential hygiene. Each points to the same systemic gap: APIs are still being deployed faster than they are secured.\\n\\n## AI-API and MCP Vulnerabilities Are Exploding\\n\\nIf there\u2019s one unmistakable trend, it\u2019s the rise of AI-API vulnerabilities.\\n\\nIn Q3, these grew from 77 to 121, a 57% increase in just three months. Within that group, Model Context Protocol (MCP) vulnerabilities spiked 270%, signaling that malefactors are quickly learning how to exploit model-serving and inference pipelines.\\n\\nMost of these flaws map to familiar API weaknesses: misconfiguration, broken function-level authorization, and unsafe consumption of APIs. But the implications run deeper.\\n\\nAI-API integrations don\u2019t just expose data; they expose business logic, workflows, and trust chains. As entities embed AI across customer and partner interfaces, these attack surfaces multiply, and traditional API scanning alone can\u2019t keep pace.\\n\\nThe takeaway: As we claimed in our 2025 Annual API ThreatStats report, AI security is now API security. Any enterprise integrating model endpoints or agentic systems must extend its API protection stack to cover inference and orchestration layers.\\n\\n## Exploited APIs Still Follow the Same Patterns\\n\\nThe CISA Known Exploited Vulnerabilities (KEV) catalog added 51 new entries in Q3. Of those, 8 (16%) were API-related, showing that APIs remain a consistent portion of confirmed in-the-wild exploits.\\n\\nThese real-world attacks reflected the same old patterns:\\n\\n * Broken Authorization in Cisco ISE and TeleMessage APIs enabled unauthorized access and remote code execution.\\n * Security Misconfiguration exposed diagnostic interfaces such as Spring Boot Actuator endpoints.\\n * Unsafe Consumption of APIs led to deserialization flaws in systems like Fortra GoAnywhere and DELMIA Apriso.\\n\\n\\n\\nThe overlap between vulnerabilities and active exploits is telling. The same classes of weaknesses keep being rediscovered, re-exploited, and remediated, often too late.\\n\\n## Breaches Reveal Expanding Attack Chains\\n\\nEight major API-related breaches were confirmed in Q3, spanning fintech, hospitality, SaaS, and AI. The numbers dipped slightly from Q2, but the scope and complexity increased.\\n\\nThe standout was the Salesloft \/ Drift OAuth incident, which used stolen tokens to compromise Salesforce APIs across multiple enterprises, including Cloudflare, Zscaler, Palo Alto Networks, and Google. It was a single exploit that rippled across entire partner ecosystems.\\n\\nOther cases worth mentioning include:\\n\\n * **Restaurant Brands International (RBI):** drive-thru and ordering APIs exploited through logic flaws and broken object-level authorization (BOLA).\\n * **SwissBorg:** $41M lost through fintech API abuse.\\n * **McDonald\u2019s (via Paradox.ai):** internal chatbot APIs exposed sensitive applicant and HR data.\\n * **Flexypay Solutions:** fraudulent partner API calls triggered unauthorized payouts.\\n\\n\\n\\nThe common thread is that bad actors are doing more than probing APIs for injection flaws, they\u2019re manipulating workflows, tokens, and trust boundaries.\\n\\n## The Rise of Business Logic Abuse\\n\\nAmong all findings, the report highlights one trend every CISO should note: Business Logic Abuse (BLA).\\n\\nUnlike SQL injection or XSS, BLA doesn\u2019t exploit coding errors; it abuses the way an application is designed to work. Attackers skip steps, repeat one-time actions, or twist state transitions to gain unauthorized outcomes.\\n\\nExamples include:\\n\\n * Reusing coupons or refunds that should expire (Action Limit Overrun)\\n * Skipping workflow validation steps (Missing Transition Validation)\\n * Abusing hidden or legacy API functions (Shadow Function Abuse)\\n\\n\\n\\nThe OWASP Business Logic Abuse Top 10, released this year, formalizes this growing class of attacks. And with 82% of businesses now describing themselves as API-first, the logic layer has become a lucrative new target.\\n\\n\\n\\nTraditional WAFs and static scanners can\u2019t catch this. Only stateful, behavior-aware monitoring and context-driven testing can detect BLA in real time.\\n\\n## Key Takeaways for Security Leaders\\n\\nQ3 confirms that API risk is outpacing traditional AppSec coverage. Misconfigurations and authorization failures remain endemic, AI integrations are accelerating, and logic abuse has entered the mainstream. The gap between awareness and execution is widening.\\n\\nSo where should firms focus next?\\n\\n### Make API Security a First-Class Citizen\\n\\nAPIs now represent your primary attack surface. Treat them that way. Integrate API metrics (inventory coverage, exposure rates, mean time to detect) into your board-level dashboards.\\n\\n### Bridge the AppSec Divide\\n\\nWeb, mobile, and API security are no longer separate domains. Unify governance and testing under one framework so that every new service is secure from design through deployment.\\n\\n### Extend Protection to AI Pipelines\\n\\nAI endpoints must be monitored like privileged systems. Instrument model APIs, log inference traffic, and audit integrations quarterly. Agentic systems require the same (or greater) rigor as customer-facing APIs.\\n\\n### Hunt Shadow APIs\\n\\nDiscovery isn\u2019t enough. Use active scanning and traffic correlation to uncover unregistered endpoints, debug paths, and staging leftovers before attackers do. \\n\\n### Test Business Logic, Not Just Code\\n\\nAutomate abuse simulations in CI\/CD. Check for role escalation, skipped workflows, and token replay. If your QA process ends with schema validation, you\u2019re not testing security, just syntax.\\n\\n## API Security Leads AppSec\\n\\nThe Q3 2025 API ThreatStats report paints a picture of API sprawl, AI integration, and business logic flaws converging into a systemic risk.\\n\\nAttackers are evolving faster than defenses. The question isn\u2019t whether APIs will be targeted; it\u2019s whether entities can see and stop the attacks before they cascade across connected ecosystems.\\n\\nAPI security can no longer sit behind AppSec. It has to lead it. For the full insights, download the report today.\\n\\nThe post When APIs Become Attack Paths: What the Q3 2025 ThreatStats Report Tells Us appeared first on Wallarm.”,”published”:”2025-10-31T11:00:00″,”modified”:”2025-10-31T11:00:00″,”type”:”wallarmlab”,”title”:”When APIs Become Attack Paths: What the Q3 2025 ThreatStats Report Tells Us”,”source”:””,”references”:””,”id”:”WALLARMLAB:EE8560F69AE9D0ACF2B30DA347BAB2E8″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/lab.wallarm.com\/when-apis-become-attack-paths-q3-2025-threatstats-report\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-31T12:31:23″,”description”:”Wallarm\u2019s latest Q3 2025 API ThreatStats report [link placeholder] reveals that API vulnerabilities, exploits, and breaches are not just increasing; they\u2019re evolving. \\n\\nMalicious actors are…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,5,105],"class_list":["post-24245","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"\n