Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Authentication Bypass in Quest KACE Systems Management Appliance SSO

IdentifiersCVE-2025-32975CWE-287· Improper Authentication

CVE-2025-32975 is a critical improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA) affecting the SSO authentication handling mechanism. The flaw allows a remote, unauthenticated attacker to impersonate legitimate users, including administrators, without supplying valid credentials. Available reporting indicates the issue stems from improper validation of authentication tokens or session state during the SSO process, causing the appliance to process requests as authenticated when credential verification has not actually occurred. On successful exploitation, an attacker can obtain administrative access to the SMA and use built-in management functionality to execute commands, deploy software, and alter configurations across managed endpoints. Observed exploitation in the wild has been associated with rapid administrative takeover of internet-exposed, unpatched SMA instances.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in complete administrative takeover of the Quest KACE SMA appliance. Because SMA is an endpoint and systems management platform, compromise can extend beyond the appliance itself to managed enterprise endpoints, enabling software deployment abuse, remote command execution, configuration changes, credential theft, lateral movement, and potential broader network compromise. Reported post-exploitation activity includes creation of rogue administrative accounts, payload delivery, PowerShell abuse, credential harvesting with Mimikatz, and access to backup infrastructure and domain controllers. The vulnerability has a reported CVSS score of 10.0 and has been observed under active exploitation.

Mitigation

If you can’t patch tonight, do this now.

Do not expose Quest KACE SMA directly to the internet. Restrict remote administrative access to trusted paths such as VPN-only access. Hunt for unauthorized or newly created administrative accounts, review appliance and endpoint activity for signs of abuse of KPluginRunProcess, runkbot.exe, PowerShell, curl, and credential-dumping tools, and investigate connections to reported infrastructure such as 216.126.225.156 where relevant. Rotate KACE administrative credentials and any credentials that may have been accessible from the appliance. If an instance was internet-exposed and unpatched, assume possible compromise until proven otherwise.

Remediation

Patch, then assume compromise.

Upgrade Quest KACE SMA to a fixed release. Reported fixed versions are 13.0.385, 13.1.81, 13.2.183, 14.0.341 Patch 5, and 14.1.101 Patch 4. For supported 13.x branches, Quest also made a security hotfix available through the support portal for installation from the Admin console under Settings and Appliance Updates. Organizations should patch immediately and treat any previously internet-exposed, unpatched appliance as potentially compromised, performing incident response validation in addition to software update.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Quest SoftwareKace Systems Management Applianceapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

78 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

78 SOURCESView more in app
security affairsNews
May 13, 2026
Quest KACE SMA flaw CVE-2025-32975: when one unpatched tool opens the door to 60 organizations

A critical authentication bypass vulnerability in Quest KACE SMA's SSO authentication handling that can allow unauthenticated attackers to impersonate legitimate users, including administrators, on an internet-exposed endpoint management platform.

Read more
security affairsNews
Apr 21, 2026
U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog

An improper authentication vulnerability in Quest KACE Systems Management Appliance that has been observed in opportunistic attacks enabling administrative access.

Read more
thecyberexpress com vulnerabilitiesNews
Apr 21, 2026
CISA Adds 8 Flaws To KEV Catalog, Cisco Catalyst Included

A critical improper authentication flaw in Quest KACE Systems Management Appliance that allows attackers to impersonate legitimate users without credentials.

Read more
cyberthroneNews
Apr 21, 2026
CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog - TheCyberThrone

An improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA).

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity70

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-32975
NVD
nvd.nist.gov/vuln/detail/CVE-2025-32975
MITRE CWE · CWE-287
Improper Authentication
Vendor Advisory
support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978
Third Party Advisory
seclists.org/fulldisclosure/2025/Jun/25
Third Party Advisory
seclists.org/fulldisclosure/2025/Jun/22
Third Party Advisory
seralys.com/research/CVE-2025-32975.txt
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975