Join us at Boston API Security Summit 2025!
Join us at Boston API Security Summit 2025!
Join us at Boston API Security Summit 2025!
Join us at Boston API Security Summit 2025!
Join us at Boston API Security Summit 2025!
Join us at Boston API Security Summit 2025!
Close
Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Wallarm Releases Q3 2025 API ThreatStats Report: API Vulnerabilities Up 20%, MCP Risks Surge 270%

October 30, 2025

San Francisco, CA — October 30, 2025 — Wallarm, the leader in API and AI security, today announced the release of its Q3 2025 API ThreatStats Report, revealing that API-related vulnerabilities rose 20% quarter-over-quarter, while Model Context Protocol (MCP)–related risks surged 270%, marking a major escalation in API-adjacent AI exposure.

The report confirms that API risk has evolved from a technical challenge into a systemic business threat, as attackers increasingly exploit misconfigurations, authorization gaps, and AI integration flaws across modern digital ecosystems.

“The 270% rise in MCP-related vulnerabilities is a flashing red light,” said Ivan Novikov, CEO of Wallarm. “AI is deeply intertwined with APIs, and organizations aren’t yet prepared for how those AI interfaces expand the attack surface. Q3 data shows what we already know to be true, that AI security is API security.”

Key Findings from the Q3 2025 API ThreatStats Report

  • 1,602 API-related vulnerabilities were disclosed in Q3, a 20% increase from Q2.
  • AI-API vulnerabilities grew 57%, driven by explosive growth in MCP vulnerabilities (+270%).
  • Agentic AI vulnerabilities rose 67%, indicating early signs of risk in autonomous orchestration.
  • Security Misconfiguration (API8) dominated, accounting for 38% of all API flaws and rising 33% from Q2.
  • Authorization issues (API1 + API5) made up 28% of all API vulnerabilities.
  • 16% of vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog were API-related.

MCP, AI, and API Risk Converge

The Q3 report is the first to quantify the rapid expansion of Model Context Protocol (MCP) vulnerabilities, a new layer connecting AI agents and backend systems. MCP issues jumped 270% from Q2 to Q3, far outpacing traditional API risk growth. These vulnerabilities expose the interfaces that allow AI agents to invoke APIs and share contextual data, effectively linking AI and API attack surfaces.

Business Logic Abuse and Real-World Breaches

The report also highlights Business Logic Abuse (BLA) as a growing cause of real-world API exploitation, cataloging attacks that target workflows, quotas, and state transitions rather than code-level flaws. The highlighted incidents show how attackers are transitioning from exploiting flaws in code to flaws in business logic, evading detection and transforming single vulnerabilities into cross-platform compromise events.

Availability

The full Q3 2025 API ThreatStats Report is available for download at https://www.wallarm.com/reports/q3-2025-wallarm-api-threatstats-report

About Wallarm

Wallarm is the only unified platform for API and agentic AI security successfully deployed in enterprise production environments. With Wallarm, customers receive the fastest, easiest, and most effective way to stop API attacks. Organizations choose Wallarm to protect their APIs and AI agents because the platform delivers a complete inventory of APIs, real-time blocking, and patented AI/ML-based abuse detection. Wallarm is headquartered in San Francisco, California, and is backed by Toba Capital, Y Сombinator, Partech, and other investors.

Ready to protect your APIs?

Wallarm helps you develop fast and stay secure.

Product TourGet a demo