Cybersecurity experts have raised alarms over a critical vulnerability in Quest KACE Systems Management Appliance (SMA) being actively exploited by hackers. This flaw, identified as CVE-2025-32975 with a CVSS score of 10.0, allows attackers to bypass authentication, posing a significant risk to unpatched systems.
Details of the Vulnerability
Arctic Wolf, a leading cybersecurity firm, detected suspicious activities in early March 2026, indicating that threat actors are leveraging this vulnerability. The exploit allows unauthorized users to impersonate legitimate ones, leading to full administrative control if the system remains unpatched. Quest addressed this issue in May 2025, but many systems appear to be still vulnerable.
The attackers have reportedly used the vulnerability to gain administrative privileges and execute remote commands. They have been observed deploying Base64-encoded payloads through external servers, indicating a well-coordinated attack strategy.
Method of Exploitation
Once in control, the attackers created additional administrative accounts using a process called “runkbot.exe,” associated with the SMA Agent. This allows them to manage installations and execute scripts, further deepening their access. Moreover, Windows Registry changes were made using PowerShell scripts, likely for persistence and configuration manipulation.
Additional malicious activities included harvesting credentials through tools like Mimikatz, and conducting reconnaissance by listing logged-in users and running specific network commands. The attackers also sought remote desktop protocol (RDP) access to key infrastructure components such as backup systems and domain controllers.
Preventive Measures
To mitigate this critical threat, cybersecurity experts strongly advise applying the latest patches provided by Quest. Administrators should ensure that SMA instances are not exposed to the internet. The issue is resolved in software versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4).
By implementing these measures, organizations can protect their systems from being compromised by these sophisticated attacks. Continuous monitoring and prompt application of security updates are crucial in maintaining robust cybersecurity defenses.
