cbcvebase.
CVE-2025-32975
published 2025-06-24

CVE-2025-32975: Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and…

PriorityP192critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-05-04
Exploited in the wild
EPSS
2.42%
82.1th percentile
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.

Affected

5 ranges
VendorProductVersion rangeFixed in
questkace_systems_management_appliance>= 13.0 < 13.0.38513.0.385
questkace_systems_management_appliance>= 13.1 < 13.1.8113.1.81
questkace_systems_management_appliance>= 13.2 < 13.2.18313.2.183
questkace_systems_management_appliance>= 14.0 < 14.0.34114.0.341
questkace_systems_management_appliance>= 14.1 < 14.1.10114.1.101

Detection & IOCsextracted from sources · hover to see the quote

ip216.126.225[.]156
commandcurl <Base64-encoded payload> from 216.126.225[.]156
processrunkbot.exe
  • Monitor for new administrative account creation originating from runkbot.exe on Quest KACE SMA systems, which may indicate post-exploitation persistence activity.
  • Alert on outbound curl commands from Quest KACE SMA systems fetching Base64-encoded payloads, particularly to external IPs such as 216.126.225[.]156.
  • Detect Windows Registry modifications initiated via PowerShell scripts on KACE SMA-managed hosts, which may indicate attacker persistence or system configuration tampering.
  • Hunt for Mimikatz execution on hosts managed by or connected to Quest KACE SMA, as threat actors used it for credential harvesting post-exploitation.
  • Monitor for enumeration commands (net time, net group) and RDP lateral movement targeting backup infrastructure (Veeam, Veritas) and domain controllers following KACE SMA authentication events.
  • Flag Quest KACE SMA instances exposed to the internet running versions prior to 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), or 14.1.101 (Patch 4) as high-priority targets for active exploitation.
  • ·The vulnerability exists specifically in the SSO authentication handling mechanism of Quest KACE SMA; exploitation requires the appliance to be exposed to the internet.
  • ·Malicious activity was observed starting the week of March 9, 2026, targeting unpatched SMA systems exposed to the internet; internet-facing deployments are at highest risk.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.