CVE-2025-32975 - Exploitation of Quest KACE Systems Alert
Basically, a security flaw lets hackers take control of certain computer systems without permission.
Malicious activity linked to CVE-2025-32975 has been observed on unpatched Quest KACE Systems Management Appliances. This vulnerability allows unauthorized access, risking administrative control. Organizations must patch their systems to mitigate these risks.
The Flaw
CVE-2025-32975 is a critical vulnerability found in the Quest KACE Systems Management Appliance (SMA). This flaw allows threat actors to bypass authentication, enabling them to impersonate legitimate users. The vulnerability resides in the Single Sign-On (SSO) authentication process, which can lead to complete administrative takeover of the appliance. Notably, this vulnerability was patched in May 2025, yet many instances remain unpatched and exposed to the internet.
Starting the week of March 9, 2026, Arctic Wolf detected malicious activities in customer environments that appear to be linked to the exploitation of this vulnerability. The attackers leveraged the flaw to gain unauthorized access, indicating that organizations must act swiftly to mitigate risks.
What's at Risk
The Quest KACE SMA is designed for centralized endpoint management, which includes inventory management, software deployment, and endpoint monitoring. If compromised, attackers can gain administrative control over the entire system, potentially leading to widespread data breaches and operational disruptions.
The observed exploitation involved various techniques, including executing remote commands and creating unauthorized administrative accounts. These actions could allow attackers to manipulate system settings, harvest credentials, and even move laterally within the network to access other critical systems.
Patch Status
As of now, Arctic Wolf emphasizes the importance of upgrading to the latest fixed version of Quest KACE SMA. The following versions are recommended:
- Version 13.0.385 or later
- Version 13.1.81 or later
- Version 13.2.183 or later
- Version 14.0.341 (Patch 5) or later
- Version 14.1.101 (Patch 4) or later
Organizations should follow their internal patching and testing guidelines to minimize operational impacts while ensuring that their systems are secured against this vulnerability.
Immediate Actions
To protect against CVE-2025-32975, Arctic Wolf recommends the following immediate actions:
- Upgrade to the latest fixed version of Quest KACE SMA to close the vulnerability.
- Remove any publicly exposed instances of KACE SMA from the internet. If remote access is necessary, it should be secured through a VPN or firewall.
- Implement best practices by keeping management appliances non-internet-facing unless absolutely required. This reduces the attack surface and enhances overall security posture.
By taking these steps, organizations can significantly reduce their risk of exploitation and protect sensitive data from unauthorized access.