Wallarm, a global leader in API security, has officially published results from its 2025 API ThreatStats Report, which reveals that APIs have emerged as the predominant attack surface over the past year, with AI being the biggest driver of API security risks.
Going by the available details, researchers at Wallarm tracked 439 AI-related CVEs, which marks a staggering 1,025% increase from the prior year. More on that would reveal how almost 99% of these CVE were rooted in APIs, including injection flaws, misconfigurations, and new memory corruption vulnerabilities stemming from AI’s reliance on high-performance binary APIs.
On top of that, well over 50% of all recorded CISA exploited vulnerabilities were also API-related for the first time, a 30% increase from the year before. API vulnerabilities, to put things into perspective, have now surpassed traditional exploit categories like kernel, browser, and supply chain vulnerabilities, relaying their central role in cyberattacks happening across the board today.
Talk about the given report on a slightly deeper level, we begin from how Wallarm’s survey found that over 53% enterprises engaged in multiple AI deployments. These deployments, on their part, were primarily enabled by API technology.
Now, while AI integration continues to facilitate, at scale, the adoption of API technology across different industries, the whole setup is also introducing unique risks in the process.
An example relaying the same is presented by Wallarm’s threat intelligence flagging significant vulnerabilities in popular AI tools like PaddlePaddle and MLflow, which underpin enterprise AI deployments. You see, the stated tools were exploited at API endpoints, compromising training data, siphoning intellectual property, or injecting malicious payloads into machine learning pipelines.
Beyond that, the report in question also found APIs to facilitate real-time data exchanges between AI models and applications, exchanges which often lacked adequate security measures. This would enhance their susceptibility to injection, abuse, and memory-related exploits.
“Based on our findings, what is clear is that API security is no longer just a technical challenge – it’s now a business imperative,” said Ivan Novikov, CEO and Co-Founder of Wallarm. “API related security flaws are fueled by the adoption of AI, as APIs are the critical interface between AI models and the applications they power. However, this rapid growth has exposed significant vulnerabilities. For instance, we found that 57% of AI-powered APIs were externally accessible, and 89% relied on insecure authentication mechanisms. Of particular concern is that only 11% had robust security measures in place.”
The next major finding of Wallarm’s report relates to both legacy and modern APIs being under attack. As a result, legacy APIs such as those used in Digi Yatra and Optus incidents remain vulnerable due to outdated designs, but at the same time, modern RESTful APIs are now equally at risk due to complex integration challenges and improper configurations.
In case that wasn’t bad enough, APIs have also emerged as the largest category of exploited vulnerabilities in CISA KEV, with modern APIs representing over 33%. According to certain reports, some of the exploits here include improper authentication, injection attacks, and API endpoint misconfigurations, targeting enterprise-grade platforms with prominent attacks, including Invanti and Palo Alto Networks.
Out of that, legacy APIs in web applications represent over 18% of exploited vulnerabilities. Expanding upon the said detail, these vulnerabilities have historically occurred in older APIs, typically used within web applications for AJAX backends, URL parameters, or direct calls to .php files.
As for some key exploit types, they would cover URL-based injection, CSRF attacks, and outdated session handling mechanisms etc.
Moving on, Wallarm’s also uncovered a rapidly growing exploitation of authentication and access control. This again is only made worse by the decentralized nature of API management in large organizations, as API-related breaches can quickly escalate in frequency and severity. Hence, the rise of API-driven systems in sectors like healthcare, transportation, technology, and financial services has orchestrated significant vulnerabilities to place APIs at the crux of today’s cybersecurity landscape.
“In today’s environment, organizations cannot afford to not secure their APIs. Failure to do so means they are exposing themselves to grave risks that can result in costly technical vulnerabilities and reputational and operational crises,” said Novikov.