CVE-2025-32975
published 2025-06-24CVE-2025-32975: Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and…
PriorityP192critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-05-04
Exploited in the wild
EPSS
2.42%
82.1th percentile
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quest | kace_systems_management_appliance | >= 13.0 < 13.0.385 | 13.0.385 |
| quest | kace_systems_management_appliance | >= 13.1 < 13.1.81 | 13.1.81 |
| quest | kace_systems_management_appliance | >= 13.2 < 13.2.183 | 13.2.183 |
| quest | kace_systems_management_appliance | >= 14.0 < 14.0.341 | 14.0.341 |
| quest | kace_systems_management_appliance | >= 14.1 < 14.1.101 | 14.1.101 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for new administrative account creation originating from runkbot.exe on Quest KACE SMA systems, which may indicate post-exploitation persistence activity. ↗
- →Alert on outbound curl commands from Quest KACE SMA systems fetching Base64-encoded payloads, particularly to external IPs such as 216.126.225[.]156. ↗
- →Detect Windows Registry modifications initiated via PowerShell scripts on KACE SMA-managed hosts, which may indicate attacker persistence or system configuration tampering. ↗
- →Hunt for Mimikatz execution on hosts managed by or connected to Quest KACE SMA, as threat actors used it for credential harvesting post-exploitation. ↗
- →Monitor for enumeration commands (net time, net group) and RDP lateral movement targeting backup infrastructure (Veeam, Veritas) and domain controllers following KACE SMA authentication events. ↗
- →Flag Quest KACE SMA instances exposed to the internet running versions prior to 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), or 14.1.101 (Patch 4) as high-priority targets for active exploitation. ↗
- ·The vulnerability exists specifically in the SSO authentication handling mechanism of Quest KACE SMA; exploitation requires the appliance to be exposed to the internet. ↗
- ·Malicious activity was observed starting the week of March 9, 2026, targeting unpatched SMA systems exposed to the internet; internet-facing deployments are at highest risk. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Quest KACE SMA up to 14.1 improper authentication (EUVD-2025-19028 / Nessus ID 306731)
vuldb·2026-04-17·CVSS 10.0
CVE-2025-32975 [CRITICAL] Quest KACE SMA up to 14.1 improper authentication (EUVD-2025-19028 / Nessus ID 306731)
A vulnerability was found in Quest KACE SMA up to 14.1. It has been declared as critical. Affected by this issue is some unknown functionality. Executing a manipulation can lead to improper authentication.
This vulnerability is tracked as CVE-2025-32975. The attack can be launched remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
GHSA-hrwx-88rh-95q7: Quest KACE Systems Management Appliance (SMA) 13
ghsa_unreviewed·2025-06-26
CVE-2025-32975 [CRITICAL] CWE-287 GHSA-hrwx-88rh-95q7: Quest KACE Systems Management Appliance (SMA) 13
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
VulnCheck
Improper Authentication
vulncheck·2025·CVSS 10.0
CVE-2025-32975 [CRITICAL] Improper Authentication
Improper Authentication
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
Affected: Quest kace_systems_management_appliance
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://arcticwolf.com/resources/blog/cve-2025-32975/; https://x.com/CCBalert/status/2035047235382046869
CISA
Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
cisa·2026-04-20·CVSS 10.0
CVE-2025-32975 [CRITICAL] CWE-287 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
Vulnerability: Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
Affected: Quest KACE Systems Management Appliance (SMA)
Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32975
Remediation Due Date: 2026-05-04
No detection rules found.
No public exploits indexed.
Hackernews
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
blogs_hackernews·2026-04-21·CVSS 7.5
CVE-2023-27351 [HIGH] CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation.
The list of vulnerabilities is as follows -
CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class.
CVE-2024-27199 (CVSS score: 7.3) -
Hackernews
Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems
blogs_hackernews·2026-03-23·CVSS 10.0
CVE-2025-32975 [CRITICAL] Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems
Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA), according to Arctic Wolf.
The cybersecurity company said it observed malicious activity starting the week of March 9, 2026, in customer environments that's consistent with the exploitation of CVE-2025-32975 on unpatched SMA systems exposed to the internet. It's currently not known what the end goals of the attack are.
CVE-2025-32975 (CVSS score: 10.0) refers to an authentication bypass vulnerability that al
https://seclists.org/fulldisclosure/2025/Jun/22https://seralys.com/research/CVE-2025-32975.txthttps://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978http://seclists.org/fulldisclosure/2025/Jun/25https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975
2025-06-24
Published
2026-04-20
Added to CISA KEV
Exploited in the wild