CVE-2025-32976
published 2025-06-24CVE-2025-32976: Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.79%
51.6th percentile
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows authenticated users to bypass TOTP-based 2FA requirements. The vulnerability exists in the 2FA validation process and can be exploited to gain elevated access.
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is a logic flaw in the TOTP-based 2FA validation process of Quest KACE SMA; monitor for authenticated sessions that bypass 2FA enforcement, particularly where TOTP validation is skipped or returns success without a valid token ↗
- →Monitor Quest KACE SMA for authenticated users gaining elevated access without completing the expected TOTP challenge/response flow, which may indicate exploitation of this 2FA bypass ↗
- →CISA has added this to the KEV catalog as an actively exploited improper authentication vulnerability; prioritize detection of credential impersonation attempts against Quest KACE SMA instances ↗
- ·Affected versions are 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4); ensure detection rules scope to these versions ↗
- ·Vendor advisory covers multiple related CVEs (CVE-2025-32975, CVE-2025-32976, CVE-2025-32977, CVE-2025-32978); review all when assessing exposure and tuning detections ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cisa10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Quest KACE SMA up to 14.1 2FA authentication bypass (EUVD-2025-19034 / Nessus ID 306731)
vuldb·2026-04-17·CVSS 8.8
CVE-2025-32976 [HIGH] Quest KACE SMA up to 14.1 2FA authentication bypass (EUVD-2025-19034 / Nessus ID 306731)
A vulnerability was found in Quest KACE SMA up to 14.1. It has been rated as critical. This affects an unknown part of the component 2FA. The manipulation leads to authentication bypass using alternate channel.
This vulnerability is listed as CVE-2025-32976. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is advised.
GHSA
GHSA-m359-p2w2-2pxh: Quest KACE Systems Management Appliance (SMA) 13
ghsa_unreviewed·2025-06-26
CVE-2025-32976 [HIGH] CWE-288 GHSA-m359-p2w2-2pxh: Quest KACE Systems Management Appliance (SMA) 13
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows authenticated users to bypass TOTP-based 2FA requirements. The vulnerability exists in the 2FA validation process and can be exploited to gain elevated access.
CISA
Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
cisa·2026-04-20·CVSS 10.0
CVE-2025-32975 [CRITICAL] CWE-287 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
Vulnerability: Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
Affected: Quest KACE Systems Management Appliance (SMA)
Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32975
Remediation Due Date: 2026-05-04
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-24
Published