Application Programming Interfaces (APIs) remain an attacker-favored exploit route. Aggressors continuously target common failures in identity, access control and exposed interfaces – often at scale and machine speed. AI is increasing the threat surface.
In an analysis of more than 60,000 published vulnerabilities disclosed in 2025, Wallarm found more than 11,000 (17%) were API-related. A concurrent analysis of CISA KEV Catalog additions for 2025 found 43% of exploited vulnerabilities were API-related.
The report demonstrates the severity of the threat by including details of the top ten API-relevant breaches from 2025. The top three are 700Credit, Qantas, and Salesloft.
A standout element of the report is the continuing expansion of AI technologies and their effect on APIs and AI security. “API security is at the heart of any AI transformation,” comments Ivan Novikov, founder and CEO at Wallarm. “Every AI application or agent interaction is mediated through an API. API security is integral to successful AI adoption, and AI by its very nature has made the consequences of getting it wrong much larger and much more impactful.”
MCP-related vulnerabilities
The rise of the Model Context Protocol (MCP) will inevitably play a major part in future AI/API issues. “MCP emerged as a leading indicator of where API risk is heading,” states the report. It describes that MCP is a control plane API for agents. If exposed or misconfigured, “Attackers gain leverage over autonomous workflows rather than single endpoints.”
Wallarm found 315 MCP-related vulnerabilities in 2025. The threat is already severe, and likely to grow. MCP is too new to yet make year on year comparisons, but the firm noted a 270% increase in MCP vulnerabilities between Q2 and Q3 2025: describing it as a ‘stunning momentum for a protocol that is still early in adoption’.
The danger from MCP vulnerabilities is they consistently combine three failure modes: over-permissioned tools (with agents granted broad API access by default), direct API exposure (often containing the common API vulnerabilities), and lack of runtime enforcement (meaning policy violations are only visible after the damage occurs).
It is unlikely the MCP threat can be contained going forward. It is an open source standard that allows LLMs to connect to data sources and tools. Each user takes the open source and creates their own MCP server for their own use. “MCP servers are software, and we should expect the same risk patterns with it as with other software,” comments Tim Erlin, security strategist at Wallarm. “There will always be vulnerabilities. In some cases, they will be specific to one implementation, in other – likely fewer– cases, they might be inherent in the protocol itself.”
Basically, MCP users are likely to create or inherit vulnerabilities, while there is no original source to fix. “MCP can’t be ‘fixed’ at its source because there are multiple vendors participating in the MCP ecosystem,” continues Erin. “There isn’t one source to fix.”
Analyzing the weaknesses in APIs generally, Wallarm found that cross site issues rose from the fifth most frequent area of abuse in 2024, to number one in 2025, suggesting a change in attacker focus.
Injections ranked one in 2024, and two in 2025. “It’s clear that despite years of industry education about injections, APIs continue to process vast volumes of untrusted input and pass it directly into downstream systems,” states the analysis.
Broken access control moved down from number two to number three, while insecure resource consumption rose from number seven to number four. These API weaknesses are the most commonly abused weaknesses; but the complete list needs to be fixed. Attackers always use the easiest route, and if some are closed, they’ll use the other weaknesses.
Analyzing its statistics, Wallarm comes to three conclusions. Firstly, attackers favor abuse over bugs, by targeting logic, trust and usage. Secondly, AI is amplifying existing weaknesses rather than introducing new ones. Thirdly, runtime behavior defines the API risk, not pre-production testing.
Most API vulnerabilities are fast, remote, and easy to exploit. Attackers take full advantage of these attributes. The report finds 97% of API vulnerabilities can be exploited with a single request, 98% are easy or trivial to exploit, and 99% are remotely exploitable. In 59% of cases, no authentication is required.
Related: Cyber Insights 2026: API Security – Harder to Secure, Impossible to Ignore
Related: Equixly Raises $11 Million for AI-Powered API Penetration Testing
Related: SesameOp Malware Abuses OpenAI API
